On Sat, Apr 25, 2020 at 12:24 AM Yann Ylavic <[email protected]> wrote:
>
> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <[email protected]> wrote:
> >
> > Hi,
> >
> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <[email protected]> wrote:
> > >
> > > Is there a way to have the same functionality as the directive
> > > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > > I would like to block access to users who try to bypass Cloudflare
> > > reverse proxy (e.g. accessing my web server directly by guessing the IP
> > > address). It looks like iptables is not a solution since I still want to
> > > host some websites without Cloudflare.
> >
> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
> >
> > RemoteIPHeader CF-Connecting-IP
> > RemoteIPTrustedProxyList /path/to/proxies.list
> > RewriteEngine on
> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>
> Err, this should be:
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> because mod_remoteip will change REMOTE_ADDR (to the value of the
> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>
> > RewriteRule ^ - [F]
> >
> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
Actually, if this works, a simpler way to do it (with the core
authorization mechanism) is:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxyList /path/to/proxies.list
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> >
> > Hth,
> > Yann.
> >
> > [1]
> > https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
