Home » Tutorials » WEB and server administration tutorials

Finding Real IP Behind Cloudflare

2025-07-06 WEB and server administration tutorials kleskby 0 36

The guide explains ethical methods for discovering the real IP address of a website protected by Cloudflare, mainly for security research or misconfiguration auditing.


What Is Cloudflare?

Cloudflare is a content delivery network (CDN) and security platform offering:

  • DDOS protection
  • HTTPS redirection
  • IP masking
  • WAF (Web Application Firewall)
  • Performance boosts

When websites use Cloudflare, their real server IP is hidden behind Cloudflare’s IP range.


How Cloudflare Is Typically Set Up

  1. Register on cloudflare.com
  2. Add domain and choose a plan
  3. Update nameservers to Cloudflare’s
  4. Install SSL certificate
  5. Set up redirection rules (HTTP → HTTPS)
  6. Configure WAF to block threats and bots

How Admins May Block Direct IP Access

server {
  listen 80 default_server;
  server_name _;
  return 404;
}

if ($host != "domain.com") {
  return 404;
}

Other methods include:

  • IP allowlisting
  • Secret headers or hostnames
  • GeoIP restrictions (e.g., allow only from specific countries)

? Reconnaissance Steps to Find Real IP

1. Analyze DNS Records

Check A, AAAA, MX, TXT, CNAME, and SOA records. Use tools like:

2. Subdomain Bruteforce

Tools like subfinder, amass, or dnsx may uncover unprotected subdomains pointing directly to the origin server.

3. Email Headers

Register on the site and inspect received email headers. Use password resets or contact forms if necessary.

4. SSL Certificate Analysis

openssl s_client -connect ip:443

Search SSL data using:

5. Source Code Inspection

Check the website’s HTML and JavaScript for leaked IPs or endpoints.

6. Bounce Emails

Send an email to a fake address like [email protected]. The bounce message may contain the origin IP.


⚙️ Mass Scanning and Filtering

If you know the country or city, filter IP ranges to save time.

sudo masscan -iL iprange.txt -p443 --open-only

Then use OpenSSL:

openssl s_client -connect :443 | grep -E "CN|subject|issuer"

Perl Script Example:

#!/usr/bin/perl
use strict;
use warnings;

open(my $fh, '<', 'ip') or die "Cannot open IP list: $!";
while (my $ip = <$fh>) {
    chomp($ip);
    my $output = `openssl s_client -connect $ip:443 2>&1 | grep CN`;
    print "[$ip] $output\n" if $output =~ /target\.com/;
}
close($fh);



Tags: web, http, html, server, vps, ddos
Owned by kleskby#1837
Telegram
Close

You have no new notifications.


You have no new messages.