Re: Add X-Forwarded-For
Hi Sander, Le 08/05/2013 22:26, Sander Klein a écrit : Thanks everyone for answering. I'll play around a bit with my config and the suggestions. To complete the suggestions, here is the configuration I've used for months on a personal website : acl FROM_CLOUDFLARE src -f /etc/haproxy/cloudflare_ips.dat reqidel ^X-Forwarded-For:.* if ! LOCALHOST reqirep ^CF-Connecting-IP:(.*)$ X-Forwarded-For:\1 if FROM_CLOUDFLARE option forwardfor if-none /etc/haproxy/cloudflare_ips.dat is the content of https://www.cloudflare.com/ips-v4 I prefered the use of reqirep to rename the CloudFlare header (no changes were required in backends, where varnish and apache+mod_rpaf are used). Hope this helps. -- Cyril Bonté
Add X-Forwarded-For
Hi, I want to move some websites behind cloudfare. They already add an X-Forwarded-For header so I do not want to add it if the request comes from cloudfare, but I do want to add it if the request is not from cloudfare. Since both requests will pass through the same frontend I need some kind of ACL or whatever. Is there a way to do this? Greets, Sander
Re: Add X-Forwarded-For
Replying to myself ;-) On 08.05.2013 10:52, Sander Klein wrote: Hi, I want to move some websites behind cloudfare. They already add an X-Forwarded-For header so I do not want to add it if the request comes from cloudfare, but I do want to add it if the request is not from cloudfare. Since both requests will pass through the same frontend I need some kind of ACL or whatever. Is there a way to do this? I know I can use 'option forwardfor except [network]' but cloudfare uses a lot of networks. Greets, Sander
RE: Add X-Forwarded-For
I know I can use 'option forwardfor except [network]' but cloudfare uses a lot of networks. Exactly, we would need to trigger forwardfor based on a ACL match, which doesn't seem to be supported currently. Regards, Lukas
Re: Add X-Forwarded-For
On Wed, May 08, 2013 at 10:52:29AM +0200, Sander Klein wrote: Hi, I want to move some websites behind cloudfare. They already add an X-Forwarded-For header so I do not want to add it if the request comes from cloudfare, but I do want to add it if the request is not from cloudfare. Since both requests will pass through the same frontend I need some kind of ACL or whatever. Is there a way to do this? You have the optional argument if-none for option forwardfor, but you should not do this with external proxies whose addresses you don't know because anyone could pass one and fool you. In practice you would need them to pass you some information to prove the request comes from them. The best way to do this is to do it over ssl. Cheers, Willy
Re: Add X-Forwarded-For
Hey, You have the optional argument if-none for option forwardfor, but you should not do this with external proxies whose addresses you don't know because anyone could pass one and fool you. This doesnt feel like a good option ;-) In practice you would need them to pass you some information to prove the request comes from them. The best way to do this is to do it over ssl. Well, I know which networks they are using since the provide them on their website. That might be prove enough I didn't test if it's possible to do 'option forwardfor except 192.168.1.0/24 192.168.2.0/24 etc...' Even better would be to load it from a file. Maybe the option from Finn Arne Gangstad might prove good enough for me and I can fix it with some reqidel statements. Greets, Sander
RE: Add X-Forwarded-For
You could also: - always insert/append forwardfor and remove the cloudflare ips in the application code This has the disadvantage that you need to modify the application code. Or another way: - duplicate your backend, one for direct-mode and one for cloudflare: select it based on a ACL (which you can feed with the cloudflare ips). - configure option forwardfor only on the direct-mode backend and remove it from default/frontend/global sections This has the disadvantage that by duplicating the backend, per server settings like maxconn need to be configured more carefully. Lukas
Re: Add X-Forwarded-For
On Wed, May 08, 2013 at 12:51:10PM +0200, Sander Klein wrote: On 08.05.2013 12:21, Sander Klein wrote: Hey, You have the optional argument if-none for option forwardfor, but you should not do this with external proxies whose addresses you don't know because anyone could pass one and fool you. This doesnt feel like a good option ;-) In practice you would need them to pass you some information to prove the request comes from them. The best way to do this is to do it over ssl. Well, I know which networks they are using since the provide them on their website. That might be prove enough I didn't test if it's possible to do 'option forwardfor except 192.168.1.0/24 192.168.2.0/24 etc...' Even better would be to load it from a file. Maybe the option from Finn Arne Gangstad might prove good enough for me and I can fix it with some reqidel statements. I just found out that they also send an CF-Connecting-IP header. Is there a way to copy the contents of this header to the X-Forwarded-For header? Yes, just remove x-forwarded-for and rename cf-connecting-ip to x-forwarded-for :-) Willy
RE: Add X-Forwarded-For
I just found out that they also send an CF-Connecting-IP header. Is there a way to copy the contents of this header to the X-Forwarded-For header? Yes, just remove x-forwarded-for and rename cf-connecting-ip to x-forwarded-for :-) Willy But remember that cf-connecting-ip can be spoofed as easily as x-forwarded-for. You will need to check the cloudflare ips somehow and you can do this with with the 2 proposals from my previous mail. Regards, Lukas
Re: Add X-Forwarded-For
The definitive list of cloudflare IPs doesn't appear to be too unmanageable: https://www.cloudflare.com/ips They also provide convenient text files that just contain the IP address lists for easy automation. As Lukas says if you do not validate the IP addresses it's trivial for anyone to forge client IP addresses. -JohnF On Wed, May 8, 2013 at 8:26 AM, Lukas Tribus luky...@hotmail.com wrote: I just found out that they also send an CF-Connecting-IP header. Is there a way to copy the contents of this header to the X-Forwarded-For header? Yes, just remove x-forwarded-for and rename cf-connecting-ip to x-forwarded-for :-) Willy But remember that cf-connecting-ip can be spoofed as easily as x-forwarded-for. You will need to check the cloudflare ips somehow and you can do this with with the 2 proposals from my previous mail. Regards, Lukas
Re: Add X-Forwarded-For
On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote: The definitive list of cloudflare IPs doesn't appear to be too unmanageable: https://www.cloudflare.com/ips They also provide convenient text files that just contain the IP address lists for easy automation. As Lukas says if you do not validate the IP addresses it's trivial for anyone to forge client IP addresses. I agree, and indeed the list is very small, I thought it was much larger, as akamai's which are much harder to deal with. I think the following method should work, though I have not tested it : acl from_cf src -f cf-ips.txt # list of cf's addresses, one per line reqidel ^x-forwarded-for: if !from_cf option forwardfor if-none It is supposed to remove xff from requests not coming from CF, and to add one only when there is none, which should do the trick. Willy
Re: Add X-Forwarded-For
Thanks everyone for answering. I'll play around a bit with my config and the suggestions. Greets, Sander On 8 mei 2013, at 15:04, Willy Tarreau w...@1wt.eu wrote: On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote: The definitive list of cloudflare IPs doesn't appear to be too unmanageable: https://www.cloudflare.com/ips They also provide convenient text files that just contain the IP address lists for easy automation. As Lukas says if you do not validate the IP addresses it's trivial for anyone to forge client IP addresses. I agree, and indeed the list is very small, I thought it was much larger, as akamai's which are much harder to deal with. I think the following method should work, though I have not tested it : acl from_cf src -f cf-ips.txt # list of cf's addresses, one per line reqidel ^x-forwarded-for: if !from_cf option forwardfor if-none It is supposed to remove xff from requests not coming from CF, and to add one only when there is none, which should do the trick. Willy