Cloudflare rule for securing admin.php?
- Thread starter Alvin63
- Start date
GrnEyedDvl
Active member
It can be done. I have a few rules that allow stuff like importing styles by IP. I tested this on my site and it worked to block AdminCP access. I use *.example.com so it covers all possible subdomains such as www.example.com or test.example.com
Chromaniac
Well-known member
if you are using digitalpoint cloudflare addon, it already has an internal feature which locks admin access to certain email ids.
duderuud
Well-known member
Yes, without any interference of Cloudflare.
If you want to access your admin console from outside your house (say on your mobile with 4/5G) you use "Allow" in Cloudflare and add your personal email address.
When you then go to your admin console, you will be presented a Cloudflare screen. Enter your email address, check your mail for the OTP and enter it in the next screen and you will be forwarded to your admin console.
If you want to access your admin console from outside your house (say on your mobile with 4/5G) you use "Allow" in Cloudflare and add your personal email address.
When you then go to your admin console, you will be presented a Cloudflare screen. Enter your email address, check your mail for the OTP and enter it in the next screen and you will be forwarded to your admin console.
Is it an addon as opposed to an "app" on a phone? It's called an app
I didn't look into it before because found it easy enough to just log in to cloudflare, but does it provide easier use somehow?
duderuud
Well-known member
Yes, you specify which email addresses can be used to authenticate.
You can't use an authenticator for that specifically but XF has that built in for all users. Just enable it in your own (admin)account.
duderuud
Well-known member
Is it an addon as opposed to an "app" on a phone? It's called an app
![[DigitalPoint] App for Cloudflare®](/community/data/resource_icons/8/8750.jpg?1692633961){kind=icon}
Thanks. One time passcode sounds fine anyway.
Ok so I thought I'd set it up in Cloudflare but it doesn't seem to be working!
I selected Zero Trust and signed up for the free "Access" option.
Created a policy called admin emails and set to "Allow". Left the session duration as default "application timeout". Added the email addresses and saved.
Then selected Applications. Added an application called it ACP . Left the duration as default 24 hours. Left input method as default, left subdomain blank, selected domain and added domain path /admin,php. Selected the policy I'd made and added that. Saved and it all looked set up.
Tested and it's not working
Could that be because I login with a username and not an email address? I tested in a private window.
I selected Zero Trust and signed up for the free "Access" option.
Created a policy called admin emails and set to "Allow". Left the session duration as default "application timeout". Added the email addresses and saved.
Then selected Applications. Added an application called it ACP . Left the duration as default 24 hours. Left input method as default, left subdomain blank, selected domain and added domain path /admin,php. Selected the policy I'd made and added that. Saved and it all looked set up.
Tested and it's not working
Could that be because I login with a username and not an email address? I tested in a private window.I can see what you're saying there now. Use both. Restrict to your IP, but allow a certain email to bypass it, is that right? That sounds ideal.
However I seem to have failed to set up Zero Trust correctly! I've deleted the policy and application now. I was just setting up the email authenticating. Not the IP restricting bit (yet).
Ok Worked it out now. I needed to put www in sub domain. And do the application first, then the policy, then add the policy to the application.
So it's working now. However it could get tedious to have to sign in with email and OTP every time I go into ACP.
Edit- it's set for 24 hours so presumably I only need to sign in once very 24 hours.
So are you using this as a standalone solution @duderuud? Or as a backup solution for when away from home, with IP address as main solution? If so have I set things up back to front?!
So it's working now. However it could get tedious to have to sign in with email and OTP every time I go into ACP.
Edit- it's set for 24 hours so presumably I only need to sign in once very 24 hours.
So are you using this as a standalone solution @duderuud? Or as a backup solution for when away from home, with IP address as main solution? If so have I set things up back to front?!
Ok I think I'm sorted now. Went back into the policy and added IP address (it needed /32 on the end) and saved. So this now means either/or IP address or email login with IP address prioritising when you're on it. Is that right?
This is great! It took me ages to get it right. It's actually quite quick and easy if you know what to do! I'll know in future.
Thank you for the tip. No need to set the IP in firewall.
This is great! It took me ages to get it right. It's actually quite quick and easy if you know what to do! I'll know in future.
Thank you for the tip. No need to set the IP in firewall.
I'll add the steps here in case anyone else wants to do it that doesn't know how already! This is directly in Cloudflare.
1) Opt for Zero Trust in Cloudflare. Sign up for the free application (means adding payment details and address even though free).
Create Application:
2) Inside Zero Trust, in the left hand menu select "Application"
3) Application Name: Call it what you want - ACP Protect or something
4) Session duration - maybe 30 minutes
5) Public Host name:
Input method: Default
Subdomain: www (If you use www or leave blank)
Domain (select your domain from the drop down menu).
Path: the / is already there so just type admin.php
6) Scroll down to login methods. It says default is One Time Pin if no authenticator selected (types of authenticator app are limited) Scroll down and tick the box for One time passcode.
7) Save application
Create Policy:
8) Go to the left hand menu again and select "Policies"
9) Add/create a policy
Policy name - whatever - eg Email and IP protect
Action - allow
Session duration (30 minutes - or the same as session duration set in the application)
10) Scroll down to "Add Rules"
Selector - select Emails
Value - type the email address or addresses in this box (eg your admin account email address/login email)
11) Tap on "Add/Include" underneath
Selector - select IP Ranges
Value - type in your IP address followed by /32 - no spaces. Eg 123.23.000.23/32 (apparently the /32 tells Cloudflare it's a single IP).
12) Scroll down and SAVE.
Add Policy to Application:
13) Go back to Applications in the left menu
14) Tap the 3 dots on the right of your saved application and select "edit"
15) On the top menu, next to "Basic Information" select "Policies"
16) It might say in blue select or add policy or existing policy
17) Click on that and select the policy you created and add or save.
18) Scroll down and "Save application".
So admin.php can only be accessed by your IP address. But if you're on a different IP address or device you'll be asked for email authentication via One Time Passcode. The duration can be changed/edited afterwards - it's only needed for email access not for IP address access.
Email option can be tested using a different IP address and private browser with domainname.com/admin.php. Window Pops up from Cloudflare with the name of your application, asks you to add your email address, sends a OTP to your email with a code. Add the code.
1) Opt for Zero Trust in Cloudflare. Sign up for the free application (means adding payment details and address even though free).
Create Application:
2) Inside Zero Trust, in the left hand menu select "Application"
3) Application Name: Call it what you want - ACP Protect or something
4) Session duration - maybe 30 minutes
5) Public Host name:
Input method: Default
Subdomain: www (If you use www or leave blank)
Domain (select your domain from the drop down menu).
Path: the / is already there so just type admin.php
6) Scroll down to login methods. It says default is One Time Pin if no authenticator selected (types of authenticator app are limited) Scroll down and tick the box for One time passcode.
7) Save application
Create Policy:
8) Go to the left hand menu again and select "Policies"
9) Add/create a policy
Policy name - whatever - eg Email and IP protect
Action - allow
Session duration (30 minutes - or the same as session duration set in the application)
10) Scroll down to "Add Rules"
Selector - select Emails
Value - type the email address or addresses in this box (eg your admin account email address/login email)
11) Tap on "Add/Include" underneath
Selector - select IP Ranges
Value - type in your IP address followed by /32 - no spaces. Eg 123.23.000.23/32 (apparently the /32 tells Cloudflare it's a single IP).
12) Scroll down and SAVE.
Add Policy to Application:
13) Go back to Applications in the left menu
14) Tap the 3 dots on the right of your saved application and select "edit"
15) On the top menu, next to "Basic Information" select "Policies"
16) It might say in blue select or add policy or existing policy
17) Click on that and select the policy you created and add or save.
18) Scroll down and "Save application".
So admin.php can only be accessed by your IP address. But if you're on a different IP address or device you'll be asked for email authentication via One Time Passcode. The duration can be changed/edited afterwards - it's only needed for email access not for IP address access.
Email option can be tested using a different IP address and private browser with domainname.com/admin.php. Window Pops up from Cloudflare with the name of your application, asks you to add your email address, sends a OTP to your email with a code. Add the code.
Last edited:
So I read that this isn't quite as secure as adding deny/allow code to htaccess. In that a non cloudflare IP address could potentially get into the server. Now I know there is other security as well like secure passwords and 2FA but I'm considering this option:
Setting deny/allow my ip address in htaccess as well. (Which would mean remote email access wouldn't work any more). Then removing the code from htaccess if I go away/am away to get the email authenitication function back. Seeing as I don't go away that much!
Which is an extra thing to do/think about but I am mostly on my ip address.
Another option I came across was - set deny in htaccess but allow my ip and all cloudflare ip's as well. Meaning email authentication would still work. But this sounds like more work/to remember as means checking Cloudflare IP's every so often and replacing them.
Just curious as to what others do and if anything like that? Otherwise, it's probably low risk just having Zero Trust, passwords and 2FA.
But - maybe I've missed something. There is some kind of key/token generated when you set up your policy/application in Zero Trust - is this supposed to be pasted somewhere in the server to tell them to only accept Cloudflare IP's?
Setting deny/allow my ip address in htaccess as well. (Which would mean remote email access wouldn't work any more). Then removing the code from htaccess if I go away/am away to get the email authenitication function back. Seeing as I don't go away that much!
Which is an extra thing to do/think about but I am mostly on my ip address.
Another option I came across was - set deny in htaccess but allow my ip and all cloudflare ip's as well. Meaning email authentication would still work. But this sounds like more work/to remember as means checking Cloudflare IP's every so often and replacing them.
Just curious as to what others do and if anything like that? Otherwise, it's probably low risk just having Zero Trust, passwords and 2FA.
But - maybe I've missed something. There is some kind of key/token generated when you set up your policy/application in Zero Trust - is this supposed to be pasted somewhere in the server to tell them to only accept Cloudflare IP's?
Last edited:
duderuud
Well-known member
And how would that be. By hacking your email first and guessing your OTP of XF? You would have to be Zero Cool to pull that off.
