Cloudflare TV

Cloudflare Support Engineer's Top 5 Tips

Presented by Mark Chan
Originally aired on 

Review a Cloudflare support engineer's top 5 tips on how to use Cloudflare to its fullest, and how to configure Cloudflare properly.

English

Transcript (Beta)

Hi everyone. Thank you for taking the time to join me on this segment. I'm Mark. I was a team lead in Cloudflare support.

Now I'm a technical trainer. I have five tips that I hope you will find useful.

So tip number one, enable DNSSEC. Many of you may know there is a vulnerability with DNS.

Attackers can poison the DNS cache by impersonating the DNS name server, making a request to the DNS resolver and then forging the reply when the DNS resolver queries the name server.

This is possible because the DNS servers use UDP instead of TCP and because currently there is no verification for the DNS information.

So if the DNS cache is poisoned, the users may not be aware they are directed to a malicious website.

In this current situation, a lot of us are doing our daily activities online such as online grocery shopping, e-learning, taking up online courses, paying for online services and other financial services such as online banking.

So if DNS cache is poisoned and we are not vigilant, we may send our bank login information to a malicious website.

So you may want to check if the online service that you use often has DNSSEC enabled and if not you may want to be careful you are not directed to a fake website.

So one way to prevent DNS cache poisoning is to enable DNSSEC.

So DNSSEC is short for Domain Name System Security Extensions.

You will add cryptographic signatures to the existing DNS records.

It verifies the DNS records coming from the authoritative name server and it can also detect if a fake record is injected.

So a DNS resolver determines whether a DNS response is trusted.

So how do I know whether the DNS response is authenticated?

So in this example you can see I did a dig on Cloudflare.com and in the response you can see an AD flag.

So an AD flag means that the response has been authenticated.

So how do I enable DNSSEC on Cloudflare?

It is very simple, there are only two steps.

When you enable DNSSEC in the Cloudflare dashboard, Cloudflare will generate the DS record for your domain and the DS record consists of four fields, the key tag, the algorithm, the digest type and digest.

And once we have that you can add them to your registrar.

So Cloudflare has made enabling DNSSEC easy.

I think it is important to spread awareness of why DNSSEC is critical to secure our website.

So protect your website, enable DNSSEC. Tip number two is to always use HTTPS.

So what's wrong with HTTP? So I believe the modern Chrome browser right now will show not secure in the address bar if you are not using SSL.

And if you are using HTTP, you are also missing out on SEO benefits for search engines such as Google.

And you can also potentially review information about your surfing habits.

Anyone doing a packet sniffing on the network can see what medical articles you are reading.

So now that we know the cons of using unencrypted HTTP, I would highly recommend redirecting all HTTP traffic to HTTPS using this Cloudflare feature called always use HTTPS.

So you can just turn it on with a click of a button.

And one of the things that I see very common is some users may configure a pageview to perform URL forwarding.

And if they misconfigure that pageview, it may result in a redirect loop.

So instead of configuring a pageview, you can just click on this button.

And lastly, the bonus is you can save your pageview.

Instead of creating a pageview, you can just click on this button to turn on redirecting of HTTP to HTTPS.

So Cloudflare offers free and automatic HTTPS support for all customers.

You can sign up for any plan and Cloudflare will support, will issue the SSL cert for you and serve your website over HTTPS.

Okay, now for tip number three, I would recommend enabling prefetching.

So users visiting a web page for the first time may experience slowness because the files are not cached.

So in the use case below, you can see that I have a landing page. I am expecting the user to load my product page.

So the solution would be to enable prefetching.

So prefetching prepopulates the Cloudflare cache with content that a user is likely to request next.

And this guarantees a higher cache hit rate and therefore a faster experience for the user.

So you can see that I have an animated GIF here.

So on the left is the terminal of my laptop and I'm making a single HTTP request to my landing page.

And on the right is the terminal on my origin web server.

And I'm displaying the contents of my web access logs.

So you can see that even though I have only made one single request, Cloudflare is prefetching the rest of the files that I've specified.

So how do I enable prefetching?

Step one, you can just click on this button to turn it on.

And next, you need to configure the origin server to return the HTTP response with the link header and the location of the manifest file.

So over here, you can see that I edited my HTTPS file.

And if the request matches the regex landing page, I'll be sending a HTTP response header with the link header containing the location of my manifest file.

And on my origin server, I will create this manifest file.

And in this manifest file, I will specify what files I want Cloudflare to prefetch.

So the takeaway for this is, at this time, all I need to do is create a single pageview to cache as much as possible.

So if I want to cache the pages for the first visit, I can just configure prefetching.

So the next tip is bypass cache on cookie.

So what most people would want is to cache all anonymous pages so that your website can load faster.

So on the business plan and above, there is a pageview setting bypass cache on cookie.

When using in conjunction with the cache everything, it allows the website to cache the HTML before affecting the dynamic content.

So in this example, you can see I've created a pageview with a URL pattern to match my entire website.

I have set the setting cache everything.

And I have set the hcache TTL, how long I want to store the files for a day.

And I have specified the cookies that I want to bypass the cache on.

So this is just one pageview. So how do I know if the bypass cache on cookie is working?

So if a request matches the cookie in the pageview above, it will not be cached.

So at the bottom, you can see the output of the terminal. So I'm sending a request with the cookie that matches the regex or the basic regular expression in the pageview.

It begins with WordPress. And you can see the Cloudflare cache status is dynamic.

So it means that if a cookie matches the pageview cookie, it will not be cached.

So in this example, you can see that I'm sending a request with a cookie that does not match the pageview.

And it will result in the response being cached.

So as you can see, I can just create one pageview, and then I can cache my page and make my website load faster.

Okay.

So the final tip that I have, the final tip for the day is to enable Argo tunnel.

So I remember a long time ago, a long, long time ago, before there was Cloudflare, I wanted to experiment doing my own web hosting at home.

So I found an old, inexpensive mini notebook, and I set up my own web server, and I coded my website.

After that, I had to find a way to surf my website on the Internet. I did not have a static IP, so I had to use one of those free dynamic DNS service to update a static hostname to point to a dynamic IP on my computer.

And after that, I had to configure the port forwarding on my home router and configure the ACL.

So even though I've taken all these steps to lock down my home server, I still worry that a hacker may hack into my home network because I have exposed my computer to the Internet with an open port.

So if I had Argo tunnel in the past, I would not need to worry about a direct attack on my home server.

So attackers are constantly trying to find new ways to connect to the origin server.

If the attackers discover the origin public IP and ports, they can use that as the starting point for attacks.

So how does Argo tunnel work? It is a lightweight program installed on the origin, and this program creates an outbound tunnel to the Cloudflare network.

In other words, a private link is created so that only Cloudflare can see the server and communicate with it.

And for the rest of the Internet, it is unroutable, as if the server is not even there.

And so with Argo tunnel, the origin does not require a static public IP.

There is no need to open any public inbound ports to the origin, and it is easy to install without configuring ACL or port forwarding.

And most importantly, it protects the origin from direct attack, since the attacker is unable to attack the origin public IP and port.

So just a few hours ago, as a proof of concept, I created a Node.js web server on my laptop, which is served only on the local host on port 8000.

And I managed to just run Argo tunnel on my laptop, and I can easily just serve my website, as you see in the screenshot on the left, on the right.

So the takeaway for this is, for me, I would use Argo tunnel to protect the origin.

So just to summarize the top five tips that I have, enable DNSSEC to prevent DNS cache poisoning, and always use HTTPS, because it can boost your SEO, even though it is a bit more expensive.

If you do not have any private information, that is a good reason to use HTTPS.

So configure prefetch to warm your cache, that will allow your user to experience a faster website.

So you can cache as much as possible, using the pageview bypass cache and cookie.

And lastly, protect your origin with Argo tunnel.

Okay, that leaves us.

Thank you for staying with me. So Cloudflare access allows you to securely expose your internal applications and services, enforce user access policies, and log per application activity, all without a VPN.

This video will show you how to enable Cloudflare access, configure an identity provider, build access policies, and enable access app launch.

Before enabling access, you need to create an account and add a domain to Cloudflare.

If you have a Cloudflare account, sign in, navigate to the access app, and then click enable access.

For this demo, Cloudflare access is already enabled. So let's move on to the next step, configuring an identity provider.

Depending on your subscription plan, access supports integration with all major identity providers, or IDPs, that support OIDC or SAML.

To configure an IDP, click the add button in the login methods card, then select an identity provider.

For the purposes of this demo, we're going to choose Azure AD.

Follow the provider -specific setup instructions to retrieve the application ID and application secret, along with the directory ID.

Toggle support groups to on if you want to give Cloudflare access to read specific SAML attributes about the users in your tenant of Azure AD.

Enter the required fields, then click save.

If you'd like to test the configuration after saving, click the test button.

Cloudflare access policies allow you to protect an entire website or resource by defining specific users or groups to deny, allow, or ignore.

For the purposes of this demo, we're going to create a policy to protect a generic internal resource, resourceonintra.net.

To set up your policy, click create access policy.

Let's call this application internal wiki. As you can see here, policies can apply to an entire site, a specific path, apex domain, subdomain, or all subdomains using a wildcard policy.

Session duration determines the length of time an authenticated user can access your application without having to log in again.

This can range from 30 minutes to one month. Let's choose 24 hours. For the purposes of this demo, let's call the policy just me.

You can choose to allow, deny, bypass, or choose non-identity.

Non -identity policies enforce authentication flows that don't require an identity provider IDP login, such as service tokens.

You can choose to include users by an email address, emails ending in a certain domain, access groups, which are policies defined within the access app in the Cloudflare dashboard, IP ranges, so you can lock down a resource to a specific location or whitelist a location, or your existing Azure groups.

Large businesses with complex Azure groupings tend to choose this option.

For this demo, let's use an email address.

After finalizing the policy parameters, click save.

To test this policy, let's open an incognito window and navigate to the resource, resource on intra.net.

Cloudflare has inserted a login screen that forces me to authenticate.

Let's choose Azure AD, log in with the Microsoft username and password, and click sign in.

After a successful authentication, I'm directed to the resource.

This process works well for an individual resource or application, but what if you have a large number of resources or applications?

That's where Access App Launch comes in handy.

Access App Launch serves as a single dashboard for your users to view and launch their allowed applications.

Our test domain already has Access App Launch enabled, but to enable this feature, click the Create App Launch Portal button, which usually shows here.

In the Edit Access App Launch dialog that appears, select a rule type from the include drop-down list.

You have the option to include the same types of users or groups that you do when creating policies.

You also have the option to exclude or require certain users or groups by clicking these buttons.

After configuring your rule, click save.

After saving the policy, users can access the App Launch portal at the URL listed on the Access App Launch card.

If you or your users navigate to that portal and authenticate, you'll see every application that you or your user is allowed to view based on the Cloudflare access policies you've configured.

Now, you're ready to get started with Cloudflare Access.

In this demo, you've seen how to configure an identity provider, build access policies, and enable Access App Launch.

To learn more about how Cloudflare can help you protect your users and network, visit teams .Cloudflare.com backslash access.

Meet our customer, FindLaw.

FindLaw is a Thomson Reuters company. They're a digital marketing agency for law firms.

Their primary goal is to provide cost-effective marketing solutions for their customers.

My name is Teresa Jurisch. I'm a lead security engineer at Thomson Reuters.

Hello, my name is Jesse Haraldson. I'm a senior architect for FindLaw, a Thomson Reuters business.

So, as the lead security engineer, I get to do anything and everything related to security, which is interesting.

FindLaw's primary challenge was to be able to maintain the scale and volume needed to onboard thousands of customers and their individual websites.

So, the major challenge that led us to using Cloudflare is Google was making some noises around emphasizing SSL sites.

They were going to modify the Chrome browser to mark sites that weren't SSL as non-secure.

We wanted to find a way to, at scale, move 8,500 sites to SSL reasonably quickly.

And doing that to scale up to speed with our operations, it needed to be something that was seamless.

It needed to be something that just happened.

We had tried a few different things previously and it was not going well.

And we tried out Cloudflare and it worked, just kind of out of the gate.

Like us, FindLaw cares about making security and performance a priority, not only for their customers, but for their customers' customers.

Faster web performance means having customers who actually continue to sites.

It means having customers who maintain and go with the sites.

65% of our customers are seeing faster network performance due to Argo.

So, that's an extremely important thing. The performance, the accuracy, the speed of that site fronted by Cloudflare is super essential in getting that connection made.

I like the continued innovation and push that Cloudflare brings.

Cloudflare is amazing. Cloudflare is such a relief. With customers like Thomson Reuters, FindLaw, and over 10 million other domains that trust Cloudflare with their security and performance, we're making the Internet fast, secure, and reliable for everyone.

Cloudflare, helping build a better Internet.

Cloudflare Gateway protects offices, homes, and corporate networks from malware and other security threats without sacrificing performance.

Gateway provides a secure DNS resolver and filtering service that inspects and logs all DNS queries to apply policies that either block or allow the request.

This video will show you how to get started with Cloudflare Gateway by configuring a location, creating a browser, and setting up your network.

and using that policy to block security threats.

To get started, navigate to the Cloudflare Gateway dashboard at dash.teams.Cloudflare.com.

If you don't have a Cloudflare account, you can sign up and the browser will redirect you back to the Gateway overview page.

Now, let's configure a location.

A location is typically a physical location like your home, office, store, or a data center that you'd like to protect.

For this demo, let's call our location aus-1.

Gateway should automatically detect your IP address, which allows Gateway to know which requests are coming from your location or network.

Now, let's configure the DNS resolvers. To take full advantage of Cloudflare Gateway, you should change your router settings to the Gateway IP addresses.

For this demo, I'm only going to use the IP addresses that Gateway assigns.

Now, let's configure the DNS resolvers. To do this on a Mac, go to your laptop's system preferences, click Network, then Advanced, and navigate to the DNS tab.

You'll see your existing Internet provider's DNS server IP address here.

Add in the IP addresses from the Gateway dashboard by clicking the plus sign.

If your network supports IPv6, make sure to add the IPv6 address here as well. Click OK, then Apply.

Now, my laptop is sending all of its DNS queries to Gateway's DNS resolvers.

To complete the location setup, navigate back to the Cloudflare Gateway dashboard and click Complete Setup.

After configuring your first location, you'll see the Gateway overview page.

Here, you can view your location's requests and if they were allowed or blocked.

After the initial setup, the graph may take a few minutes to show data.

While we're waiting on the data to populate, let's confirm that our location was properly configured.

It looks like our location is properly configured, but as you can see, there's no policy assigned.

Let's create one. Create a policy and apply it to your location to protect your network from Internet security threats like malware and phishing.

The policy will control what the user can or cannot access while connected to your location.

To create a policy, click Policies, then Create a Policy. For the purposes of this demo, I'm going to create a policy that blocks malware and social media.

Let's call this No Malware or Social Media. We'll assign it to our location by clicking here.

Here, you can enable a blocked page, which will show if a user attempts to access a page that's been blocked.

Let's enable it, then click Preview to see what a blocked page would look like.

Let's disable it for now.

You can also enable Safe Search, which allows Cloudflare to automatically filter content based on the same restrictions that large search engines use to protect users from explicit content.

Now, let's identify what security threats we want Cloudflare Gateway to protect against.

Gateway allows you to block all security threats listed here with one click, which include malware, phishing, and spam.

Let's just block malware for now, then move on to content categories.

Gateway allows you to block certain content categories. Since we want to block social media with this policy, click Society and Lifestyle, then Social Networks.

If you'd like to allow or block a specific domain, you can do that in the Allow Block tab.

Let's enter chatgoogle.com to ensure that it's blocked and click Add Domain.

Now that the policy has been configured, let's click Add Policy.

The policy will propagate throughout the Cloudflare network in a few seconds, so in the meantime, let's check out the Gateway Activity Log.

The Activity Log is where you can see all the requests to your configured location.

You can also see what content categories the requests were associated with.

This request was associated with content servers and information technology content categories.

It was an HTTPS request created from the AUS-1 location and was allowed as it didn't trigger the policy.

Now, let's test our policy to make sure that it works properly.

Let's test the social media portion of our policy by attempting to navigate to Twitter.

Shortly after hitting Enter, you'll see an error page indicating that Twitter cannot be reached.

Cloudflare Gateway has successfully intercepted the request and blocked the page accordingly.

During this Cloudflare Gateway walkthrough, you saw how to configure a location, create a policy, and use that policy to block Internet security threats.

To learn more about Cloudflare Gateway, navigate to teams.Cloudflare.com backslash gateway you No one likes being stuck in traffic, in real life or on the Internet.

Apps, APIs, websites, they all need to be fast to delight customers.

What we need is a modern routing system for the Internet, one that takes current traffic conditions into account and makes the highest performing, lowest latency routing decision at any given time.

Cloudflare Argo does just that. I don't think many people understand what Argo is and how incredible the performance gains can be.

It's very easy to think that a request just gets routed a certain way on the Internet no matter what, but that's not the case.

There's network congestion all over the place which slows down requests as they traverse the world and Cloudflare's Argo is unique in that it is actually polling what is the fastest way to get all across the world.

So when a request comes into Zendesk now, it hits Cloudflare's pop and then it knows the fastest way to get to our data centers.

There's a lot of advanced machine learning and feedback happening in the background to make sure it's always performing at its best, but what that means for you, the user, is that enabling it and configuring it is as simple as clicking a button.

Zendesk is all about building the best customer experiences and Cloudflare helps us do that.