On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <[email protected]> wrote:
>
> Hi,
>
> On Fri, Apr 24, 2020 at 10:49 PM bapt x <[email protected]> wrote:
> >
> > Is there a way to have the same functionality as the directive
> > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > I would like to block access to users who try to bypass Cloudflare reverse
> > proxy (e.g. accessing my web server directly by guessing the IP address).
> > It looks like iptables is not a solution since I still want to host some
> > websites without Cloudflare.
>
> I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
>
> RemoteIPHeader CF-Connecting-IP
> RemoteIPTrustedProxyList /path/to/proxies.list
> RewriteEngine on
> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
Err, this should be:
RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
because mod_remoteip will change REMOTE_ADDR (to the value of the
header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
> RewriteRule ^ - [F]
>
> With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>
> Hth,
> Yann.
>
> [1]
> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
