Hi Sander,
Le 08/05/2013 22:26, Sander Klein a écrit :
Thanks everyone for answering. I'll play around a bit with my config and the
suggestions.
To complete the suggestions, here is the configuration I've used for
months on a personal website :
acl FROM_CLOUDFLARE src -f
Hi,
I want to move some websites behind cloudfare. They already add an
X-Forwarded-For header so I do not want to add it if the request comes
from cloudfare, but I do want to add it if the request is not from
cloudfare.
Since both requests will pass through the same frontend I need some
Replying to myself ;-)
On 08.05.2013 10:52, Sander Klein wrote:
Hi,
I want to move some websites behind cloudfare. They already add an
X-Forwarded-For header so I do not want to add it if the request comes
from cloudfare, but I do want to add it if the request is not from
cloudfare.
Since
I know I can use 'option forwardfor except [network]' but cloudfare
uses a lot of networks.
Exactly, we would need to trigger forwardfor based on a ACL match, which
doesn't seem to be supported currently.
Regards,
Lukas
On Wed, May 08, 2013 at 10:52:29AM +0200, Sander Klein wrote:
Hi,
I want to move some websites behind cloudfare. They already add an
X-Forwarded-For header so I do not want to add it if the request comes
from cloudfare, but I do want to add it if the request is not from
cloudfare.
Hey,
You have the optional argument if-none for option forwardfor,
but you should not do this with external proxies whose addresses
you don't know because anyone could pass one and fool you.
This doesnt feel like a good option ;-)
In practice you would need them to pass you some information
You could also:
- always insert/append forwardfor and remove the cloudflare ips in the
application code
This has the disadvantage that you need to modify the application code.
Or another way:
- duplicate your backend, one for direct-mode and one for cloudflare:
select it based on a
On Wed, May 08, 2013 at 12:51:10PM +0200, Sander Klein wrote:
On 08.05.2013 12:21, Sander Klein wrote:
Hey,
You have the optional argument if-none for option forwardfor,
but you should not do this with external proxies whose addresses
you don't know because anyone could pass one and fool
I just found out that they also send an CF-Connecting-IP header. Is
there a way to copy the contents of this header to the X-Forwarded-For
header?
Yes, just remove x-forwarded-for and rename cf-connecting-ip to
x-forwarded-for :-)
Willy
But remember that cf-connecting-ip can be
The definitive list of cloudflare IPs doesn't appear to be too unmanageable:
https://www.cloudflare.com/ips
They also provide convenient text files that just contain the IP address
lists for easy automation.
As Lukas says if you do not validate the IP addresses it's trivial for
anyone to forge
On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote:
The definitive list of cloudflare IPs doesn't appear to be too unmanageable:
https://www.cloudflare.com/ips
They also provide convenient text files that just contain the IP address
lists for easy automation.
As Lukas says if
Thanks everyone for answering. I'll play around a bit with my config and the
suggestions.
Greets,
Sander
On 8 mei 2013, at 15:04, Willy Tarreau w...@1wt.eu wrote:
On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote:
The definitive list of cloudflare IPs doesn't appear to be too
12 matches
Mail list logo