cloudflare proxy #67
Replies: 1 comment
-
It is possible but geoip-shell does not support this functionality. geoip-shell configures the system firewall (iptables or nftables) which operates on network layers 2/3/4, while CF-Connecting-IP header is an HTTP header which belongs to layer 7 (application layer) of the OSI model. Generally, the system firewall does not operate on layer 7 and you would need to use either deep packet inspection or a clever reverse proxy to operate on data contained in the HTTP header. That said, both iptables and nftables have limited capabilities to match arbitrary data in the packet. iptables via the Rather, I would suggest to add all Cloudflare IP ranges to local allowlist in geoip-shell. If you need further filtering based on HTTP header then you can implement that filtering via you web server facilities.
I don't think that this is possible but I might be wrong. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
First of all, thank you for this great tool.
My question is this: I have a Plesk server on Ubuntu 22, and I'm using this tool because my Plesk server has been under a lot of attack. My scenario is as follows: I block all traffic outside of France, but since my customers redirect their domains from here using Cloudflare and the incoming traffic passes through Cloudflare servers when they activate the proxy, I cannot verify the incoming traffic. Is it possible to filter the real customer IP addresses by reading the CF-Connecting-IP header?
Or, if I add France and Cloudflare IP addresses to the whitelist, is it possible to use them with Nginx or ModSecurity?
Beta Was this translation helpful? Give feedback.
All reactions