The definitive list of cloudflare IPs doesn't appear to be too unmanageable:
https://www.cloudflare.com/ips They also provide convenient text files that just contain the IP address lists for easy automation. As Lukas says if you do not validate the IP addresses it's trivial for anyone to forge client IP addresses. -JohnF On Wed, May 8, 2013 at 8:26 AM, Lukas Tribus <[email protected]> wrote: > > > I just found out that they also send an CF-Connecting-IP header. Is > > > there a way to copy the contents of this header to the X-Forwarded-For > > > header? > > > > Yes, just remove x-forwarded-for and rename cf-connecting-ip to > > x-forwarded-for :-) > > > > Willy > > > But remember that cf-connecting-ip can be spoofed as easily as > x-forwarded-for. > > You will need to check the cloudflare ips somehow and you can do this with > with the 2 proposals from my previous mail. > > > Regards, > Lukas >
