How to restrict anything but MaxCDN to your origin
October 15, 2014 | Ivan DabicIf you are serving files that are used by multiple third-party websites around the web then security is something very important for you and you need to ensure that these websites will be serving their users what they expect. To do that one of the best solutions would be to create a black box origin server. That will be a server configured to allow access only to a static IP address used by you for management and MaxCDN for proxy caching. This creates 2 layers of protection for your server. One is MaxCDN that completely hides the origin from the public ensuring that all requests hit our own Edge servers without giving away any information about the backend. And the second one is the strict firewall on the origin server itself. First of all, contact the MaxCDN support and ask to get a list of IP addresses for your pull zone. We have multiple clusters so you need to get the subnets specific to you. Then to set this up all you need is to apply the following rule on your origin server:
#Define default block/drop policy to deny access to everyone iptables -P INPUT DROP #Define white/allow policy for MaxCDN blocks/ips iptables -I INPUT -s SUBNET_HERE -p tcp -m multiport --dports 80,443 -j ACCEPTReplace SUBNET_HERE with the actual subnet and apply the rule for all MaxCDN subnets. Then save it using
/etc/init.d/iptables saveOf course, to cover different platforms (UNIX-like), here you can find examples to use for your own scenario. Keep in mind that above article will help you save the “white list” but, initial DROP policy needs to be defined first. Now the server will only accept MaxCDN connections on ports 80,443 ignoring everything else including port scanners and other malware usage including bruteforce attempts.