Thanks everyone for answering. I'll play around a bit with my config and the suggestions.
Greets, Sander On 8 mei 2013, at 15:04, Willy Tarreau <[email protected]> wrote: > On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote: >> The definitive list of cloudflare IPs doesn't appear to be too unmanageable: >> >> https://www.cloudflare.com/ips >> >> They also provide convenient text files that just contain the IP address >> lists for easy automation. >> >> As Lukas says if you do not validate the IP addresses it's trivial for >> anyone to forge client IP addresses. > > I agree, and indeed the list is very small, I thought it was much larger, > as akamai's which are much harder to deal with. > > I think the following method should work, though I have not tested it : > > acl from_cf src -f cf-ips.txt # list of cf's addresses, one per line > reqidel ^x-forwarded-for: if !from_cf > option forwardfor if-none > > It is supposed to remove xff from requests not coming from CF, and to add > one only when there is none, which should do the trick. > > Willy > >
