No direct IP exposure

Severity: Critical

Check automatically:

1. Verify origin rejects direct connections:

# If origin IP is known, verify it rejects direct connections
curl -sI --connect-timeout 5 http://ORIGIN_IP
# Should timeout, refuse connection, or return 403

curl -sI --connect-timeout 5 https://ORIGIN_IP -k
# Same - should not serve content

2. Check Cloudflare firewall rules:

# List firewall rules - should have origin protection
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/rules" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result'

3. Check for IP leaks in DNS history:

# Historical DNS records can reveal origin IPs
# Manual check: SecurityTrails, DNSdumpster, or similar services
# Search: site:securitytrails.com example.com

4. Verify origin firewall (on server):

# Cloudflare publishes IP ranges at:
# https://www.cloudflare.com/ips-v4
# https://www.cloudflare.com/ips-v6

# Check iptables/ufw only allows CF IPs on 80/443
sudo iptables -L -n | grep -E "80|443"
sudo ufw status verbose

Ask user:

• Is the origin server configured to only accept connections from Cloudflare IPs?
• Is there a firewall rule (cloud or server-level) enforcing this?
• Has the origin IP ever been exposed in DNS history?

Cross-reference with:

• SEC-001 (Cloudflare protection) - must be behind CF first

Pass criteria:

• Origin server rejects direct connections (not from Cloudflare)
• Firewall rules restrict port 80/443 to Cloudflare IP ranges
• No historical DNS leaks exposing origin

Fail criteria:

• Origin IP directly accessible on port 80/443
• No firewall restriction to Cloudflare IPs
• Origin IP discoverable via DNS history tools

Evidence to capture:

• Origin IP (if known)
• Firewall rule configuration
• Result of direct connection attempt
• DNS history check result

---