Forum

Hello Hugo,

I usualy use ConnectionsPerIP setting as one of security features for my server but now I have site that uses Cloudflare as DNS. If you dont know Cloudflare accept client connections and then on destination (my server) apears with their IP's and sometimes they create much more connections than I usualy set on ConnectionsPerIP. So I need to whitelist them

Now I was browsing thru manual pages and just wondering if RequestLimitMask is what I am looking for? Also I need to allow multiple blocks (see http://cloudflare.com/ips ) so how would syntax look for this ?


ty.

Hiawatha version: 9.0
Operating System: Debian

Cloudflare adds a HTTP header named CF-Connecting-IP, which contains the IP address of the real client. Correct?

Something like that.. They offer Apache module and application level modules (for example Joomla module). But when on my server I do netstat -nt I only see Cloudflares IP's so this is where I am confused. Joomla (with this module) sees real client IP's (at least Google analytics code on it reports it OK) but on my server I only see Cloudflare IP's

What I did for 9.1 is make the HideProxy option also work for the CF-Connecting-IP HTTP header and allowed subnets instead of only IP addresses. Would that work for you? The beta of 9.1 can be found here [www.leisink.net].

Please confirm that in your access logfiles, the CF-Connecting-IP HTTP header is present.

Great, I guess you had this on mind before me : ). I will compile it and see how it goes (even tho I dont host that site with CF yet). Is there documentation for this ?

ty.

Okay, the HideProxy line looks like this:

HideProxy = 204.93.240.0/24, 204.93.177.0/24, 199.27.128.0/21, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17

Migrating that site in next 24h hope everything will be OK : )

I can see this in my access log now:

Connection: keep-alive|Accept-Encoding: gzip|CF-Connecting-IP: 66.249.74.10|CF-IPCountry: US|X-Forwarded-For: 66.249.74.10|CF-RAY: 5f479e1d513018d|X-Forwarded-Proto: http|CF-Visitor: {"scheme":"http"}|Accept: */*|From: googlebot(at)googlebot.com|User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)


I guess this is what we wanted : )

So Cloudflare also sets the X-Forwarded-For header, perfect. I'll remove the Cloudflare specific header from the HideProxy function again. I've added the missing Cloudflare headers to the CGI environment. Thanks for the log example.