Press "Enter" to skip to content

Only allow TrafficFilter connections

Published 26. July 2024

Last updated on 27. July 2024

This blog post will teach you why your firewall or web server should only allow TrafficFilter.de connections.

A frequently seen trick to attack websites behind a reverse proxy such as TrafficFilter is to find out the server IP of the website operator behind the proxy. Attackers can do this using tools such as the well-known specialized search engines Censys and Shodan or by retrieving unprotected DNS records.

To solve this problem, you can configure your firewall so that connections from the Internet to your web servers are only accepted by the TrafficFilter.de proxy. This is possible without further side effects thanks to HTTP headers and IP addresses.

You can find the IP addresses required for this under the following link: https://trafficfilter.de/ips.txt

Another way besides the firewall setting is to make this setting directly in your web server. The following is an example configuration/instruction for your NGINX web server.

server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    # ALlowed IPv4-Addresses
    allow 45.131.109.162;
    allow 45.145.224.198;
    allow 94.130.217.86;

    # Allowed IPv6-Addresses
    allow 2a12:edc0:4:6232::1;
    allow 2a12:edc0:4:f78e::1;
    allow 2a01:4f8:13b:1ac8::/64;

    # All other connections are rejected
    deny all;

    location / {
        # Configuration for your application server
        proxy_pass http://localhost:3000;  
        # Example Proxy-Settings
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

In your configuration there is probably a paragraph with SSL and possibly Certbot, this has been omitted for simplicity. Since the SSL management is carried out in the proxy, it is not absolutely necessary that you also implement a certificate.

We ourselves also use the Hetzner firewall if you are a Hetzner customer. This also allows you to configure your server so that it only allows traffic from our IP addresses through to the specified website ports.

Following these instructions, you can now configure your web server so that it only allows TrafficFilter connections. Please also take a look at our blog for more helpful tips and tricks regarding TrafficFilter.de.

Published in General