On Sat, Apr 25, 2020 at 12:24 AM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
>
> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
> >
> > Hi,
> >
> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <baptx.is@xxxxxxxxx> wrote:
> > >
> > > Is there a way to have the same functionality as the directive DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > > I would like to block access to users who try to bypass Cloudflare reverse proxy (e.g. accessing my web server directly by guessing the IP address). It looks like iptables is not a solution since I still want to host some websites without Cloudflare.
> >
> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
> >
> > RemoteIPHeader CF-Connecting-IP
> > RemoteIPTrustedProxyList /path/to/proxies.list
> > RewriteEngine on
> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>
> Err, this should be:
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> because mod_remoteip will change REMOTE_ADDR (to the value of the
> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>
> > RewriteRule ^ - [F]
> >
> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
Actually, if this works, a simpler way to do it (with the core
authorization mechanism) is:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxyList /path/to/proxies.list
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> >
> > Hth,
> > Yann.
> >
> > [1] https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|