On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote:
> The definitive list of cloudflare IPs doesn't appear to be too unmanageable:
>
> https://www.cloudflare.com/ips
>
> They also provide convenient text files that just contain the IP address
> lists for easy automation.
>
> As Lukas says if you do not validate the IP addresses it's trivial for
> anyone to forge client IP addresses.
I agree, and indeed the list is very small, I thought it was much larger,
as akamai's which are much harder to deal with.
I think the following method should work, though I have not tested it :
acl from_cf src -f cf-ips.txt # list of cf's addresses, one per line
reqidel ^x-forwarded-for: if !from_cf
option forwardfor if-none
It is supposed to remove xff from requests not coming from CF, and to add
one only when there is none, which should do the trick.
Willy
