Cloudflare Developers•3y ago

I forget RTSP but if it uses TCP and not HTTP then you’ll need to have cloudflared on the clients as

I forget RTSP but if it uses TCP and not HTTP then you’ll need to have cloudflared on the clients as well

CCyb3r-Jak3 If you site is static then you can use pages. Otherwise you have it on a origin ...

BlaBla (Please tag or reply)•8/21/23, 7:43 PM

what is a static website? One that does not fetch data from db to render pages? Yes it is that.

BlaBla (Please tag or reply)•8/21/23, 7:43 PM

Do I need to buy the domain from cloudflare?

BBlaBla (Please tag or reply)what is a static website? One that does not fetch data from db to render pages? ...

Cyb3r-Jak3OP•8/21/23, 7:44 PM

At static site is something that is just HTML doesn’t use something like go or python to render content.

BBlaBla (Please tag or reply)Do I need to buy the domain from cloudflare?

Cyb3r-Jak3OP•8/21/23, 7:44 PM

You do not need to buy a domain from Cloudflare but you need the nameservers of the domain to point to your assigned nameservers

ZZnuff Is there no way to get a metric on the time it takes Cloudflare to fetch the pag...

Erisa•8/21/23, 9:04 PM

I think there is some available in Instant Logs, but dont quote me on that

Cyb3r-Jak3OP•8/21/23, 9:07 PM

Logpush also has them

Frerduro•8/21/23, 9:09 PM

is obervatory broken? I am unable to check a website however 3rd pary websites work just fine for checking the website, google,hetrix, etc etc

Frerduro•8/21/23, 9:09 PM

loading the website in browser is fine too

CCyb3r-Jak3 I forget RTSP but if it uses TCP and not HTTP then you’ll need to have cloudflar...

Picolé•8/21/23, 9:28 PM

still didnt work in here. RTSP is basically TCP at 554 so yeah, I have no clue why it does not work at all
it works fine with ngrok tho

PPicolé still didnt work in here. RTSP is basically TCP at 554 so yeah, I have no clue w...

Cyb3r-Jak3OP•8/21/23, 9:34 PM

I believe ngrok proxies TCP without client side software. Cloudflared requires client software if you use anything other than HTTPS

Cyb3r-Jak3OP•8/21/23, 9:34 PM

?tunnel-tcp

Flare•8/21/23, 9:34 PM

Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options:

For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here:
https://developers.cloudflare.com/cloudflare-one/applications/non-http/

For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/

For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/

Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.

CCyb3r-Jak3 I believe ngrok proxies TCP without client side software. Cloudflared requires c...

Picolé•8/21/23, 9:34 PM

I installed it on both ends, still nothing sadly

PPicolé I installed it on both ends, still nothing sadly

Cyb3r-Jak3OP•8/21/23, 9:35 PM

How are you accessing it from the client?

Picolé•8/21/23, 9:36 PM

both pcs logged into cloudflared same account
created the TCP on port 554 inside Tunnels panel
status is healthy in the panel

tried going into VLC and using the subdomain to check if it works but getting nothing in there

PPicolé both pcs logged into cloudflared same account created the TCP on port 554 inside...

Cyb3r-Jak3OP•8/21/23, 9:38 PM

From the client you are doing cloudflared tunnel --hostname tcp.site.com --url tcp://localhost:7870cloudflared tunnel --hostname tcp.site.com --url tcp://localhost:7870 then pointing the RTSP client to localhost:7870localhost:7870?

CCyb3r-Jak3 From the client you are doing `cloudflared tunnel --hostname tcp.site.com --url ...

Picolé•8/21/23, 9:41 PM

exactly, just tried (port 554) but I just get Your input can't be openedYour input can't be opened after a while

Ook So even if you set SPF, DKIM, DMARC & Domain Lockdown at cf workers, there's sti...

skoogeer•8/21/23, 10:29 PM

No, if you create a Domain Lockdown record, then we will not deliver any email for your domain except as you authorize it in your lockdown record.

Original message was deleted

skoogeer•8/21/23, 10:30 PM

This no longer works because you must have a Domain Lockdown record in place before you can send email using our API on Workers.

Original message was deleted

skoogeer•8/21/23, 10:31 PM

@nora This is not true. If you set up a Domain Lockdown record for your domain, then we will not deliver email for your domain except as you specifically authorize in the DNS.

Cchientrm.com I'm not sure, $80 then they can spoof but Idk how could they spoof DKIM.

skoogeer•8/21/23, 10:33 PM

To be abundantly clear, if you create a Domain Lockdown record, then even someone paying MailChannels $1M/mo cannot send email on behalf of your domain.

Unsmart•8/21/23, 10:45 PM

so $2M/mo is the lucky number /s

Sskoogeer To be abundantly clear, if you create a Domain Lockdown record, then even someon...

James•8/21/23, 10:54 PM

How would someone enforce Domain Lockdown when they don't use Workers? That's entirely related to the cf-workercf-worker header... no? How do I ensure only I can send from my domain, and not any of your other paying customers, outside of Workers?

James•8/21/23, 10:54 PM

All of the docs I've seen at least are explicitly talking about cf-workercf-worker. If there's something I'm missing, please let me know

Cchientrm.com I got MailChannels lockdown + SPF + DKIM + DMARC setup already.

DarkDeviL•8/21/23, 10:57 PM

Depending on your "trust", re. e.g. the messages above, you can also kill the SPF in various different ways (deleting the SPF record, removing "include:relay.mailchannels.net", ... or similar), and attempt that way to lean only on DKIM authentication, if you're 100% sure that DKIM is set up and working properly, which your DMARC reports can eventually assist with (over time).

While I am a fan of as strict security policies as possible, including e.g. having a DMARC reject, and SPF "-all" (e.g. DASH all) policy, setting SPF alone to "v=spf1 -all" as an attempt to lean on DKIM authentication alone, may be able to trigger some spam filters, believing that the "v=spf1 -all" means "this domain never sends mails".

That part should be solvable, by having any (apparent valid) part between "v=spf1" and "-all" though.

Final result, regardless what you do or attempt, will always depend on the individual receiving mail server / destination though.

Sskoogeer This no longer works because you must have a Domain Lockdown record in place bef...

James•8/21/23, 10:57 PM

But it does still work if someone just gives you $80 and uses your SMTP relay, no?

James•8/21/23, 10:59 PM

With Workers, yes

James•8/21/23, 10:59 PM

I'm talking outside of Workers entirely

James•8/21/23, 10:59 PM

How can I setup a Domain Lockdown record that lets only me send using the SMTP relay, and no on else? Not in Workers.

JJames How can I setup a Domain Lockdown record that lets only me send using the SMTP r...

DarkDeviL•8/21/23, 11:00 PM

Isn't that on https://support.mailchannels.com/hc/en-us/articles/16918954360845-Secure-your-domain-name-against-spoofing-with-Domain-Lockdown- ?

James•8/21/23, 11:01 PM

Oh I see, there's

auth

auth

and senderidsenderid options instead of cfidcfid. Okay this is good.

James•8/21/23, 11:01 PM

Now they need to enforce this for all customers.

James•8/21/23, 11:01 PM

And then, I'll be happy recommending MailChannels

JJames Now they need to enforce this for all customers.

DarkDeviL•8/21/23, 11:01 PM

This sounds what @ttul said abvove that it is (now being)?

DDarkDeviL This sounds what @ttul said abvove that it is (now being)?

James•8/21/23, 11:02 PM

I mean, enforce sender verification in general. Don't allow any email to be sent without this (or something) set. So actually protect their large customers like boston.govboston.gov.

DarkDeviL•8/21/23, 11:04 PM

Could be me, but doesn't general-discussions sound like it's in effect already?

James•8/21/23, 11:04 PM

It's wild to me that it's taken all of this public pressure for change, when this has been known since 2016. But once they actually enforce this, I'll be happy recommending MailChannels

DDarkDeviL Could be me, but doesn't https://discord.com/channels/595317990191398933/9094582...

James•8/21/23, 11:05 PM

No, that's an opt-in to not being spoofed. People still have to create that record.

James•8/21/23, 11:05 PM

You can still signup right now and spoof any customer without this record.

DarkDeviL•8/21/23, 11:05 PM

Oh, you meant it like that.

James•8/21/23, 11:06 PM

And I've not checked, but I would put a lot of money on the 2+ million affected not adding this record yet.

James•8/21/23, 11:06 PM

It's a great start, don't get me wrong. But it's still not enough in my opinion.

I forget RTSP but if it uses TCP and not HTTP then you’ll need to have cloudflared on the clients as

Similar Threads

Similar Threads

Similar Threads