Question Cloudflare/Plesk with home server

[Daveo]

Server operating system version

Debian 12.10

Plesk version and microupdate number

18.0.68 #2

How do I setup Cloudflare DNS with Plesk and only allow access to the webserver & Plesk panel via internal computers only (my home network only).

In Plesk, currently have the following...

For all domains/subdomains....
Domain > Hosting/DNS > Apache & nginx
Deny access to the site: *
Excluding: 192.168.x.0/24

For Plesk panel...
Tools & Settings > IP Access Restriction Management
Denied from the networks that are not listed
127.0.0.1
192.168.x.0
<My external IP address>

Above settings allows Plesk & webserver to only be accessed internally (within my home network).

 

[Raul A.]

Is your Plesk server within your network? If not, you won't reach your server with the internal IP address. Your router will perform NAT and you will reach the Plesk server with your public (dynamic) IPv4 address.

 

[Daveo]

Yes, the Plesk server is within my network.

Also, my external IPv4 address is static not dynamic.

 

[Daveo]

This is still not resolved.

I can add my external IP to the domain & subdomains 'Domain > Hosting/DNS > Apache & nginx' settings, but doesn't CloudFlare change the IP to theirs, if so this will stop me accessing the server completely.

Any way of getting CloudFlare to forward the correct IP address and NOT one of it's own IP addresses ?

 

[Raul A.]

In your Cloudflare DNS zone you have something like this:

You point your domain name to your public IP address, which is not on your Pleks server. You can do this with any number of domain names.
When Proxied is enabled, the visitors will receive the Cloudflare IP address from the DNS zone and will reach a Cloudflare server. That server will proxy the requests to your IP address (1.1.1.1).

In order to see the actual visitor IP address in the logs, you need to replace, at the webserver level, the requesting IP with the visitor IP address from the X-Forwarded-For header.

You get the IP addresses from https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6. Before each subnet you add set_real_ip_from and after each subnet you add a ";"

set_real_ip_from 173.245.48.0/20;

After all the subnets, add:

real_ip_header CF-Connecting-IP;
real_ip_recursive on;

You can add the above to each website you host in Plesk in additional Nginx directives or set them globally in /etc/nginx/conf.d/real_ip.conf.

 

[Daveo]

OK thank you. That helps with the domain and subdomains.

What about access to Plesk itself (which is on a subdomain, but subdomain doesn't actually exist in Plesk domains list)?

ie: Server hostname is set to something like: plesk.server.com.

 

[Raul A.]

It will work in the same way. Just add the port to your URL: https://plesk.server.com:8443. Cloudflare will accept the connection on port 8443 and will forward to your IP address. You will want to "Allow IP address changes during a single session " since Cloudflare will cycle the source IP addresses and this will invalidate your Plesk session. You can enable the option from Tools & Settings > Security: Session Idle Time
You will also have to forward port 8443 from your router to your server.

In Tools & Settings > General Settings: Customize Plesk URL I suspect you have "All domains and subdomains that resolve to the server IP address but are not used for hosting".

For more information on Customizing Plesk URL please see:
Customizing Plesk URL

However, I recommend using https://plesk.server.com:8443, which doesn't rely on the webserver for access to the Plesk panel webserver.