Greetings,
On 02/14/2016 08:39 PM, Woody Woodpecker wrote:
Hello,
I am struggling to get an acl working to reject traffic originating
from servers protected by the Cloudflare network, while my servers are
behind Cloudflare too …
So I allow only traffic from the Cloudflare network to HAProxy, since
my server is behind Cloudflare too.
This is getting me a bit muddled … comparing the CF-Connecting-IP
and X-Forwarded-For headers is making a royal mess.
I am able to block other proxy traffic, but how do I distinguish
between “clean” proxied traffic via Cloudflare and “unwanted” server
generted traffic from Cloudflare?
Would any of you be able to point me in the right direction please?
If you have SSL on the origin I'd advise looking at enabling the
"Authenticated Origin Pulls" feature of Cloudflare (under the 'Crypto'
tab), which will then have Cloudflare send a client certificate to the
origin (for information on verifying client certificates, see
http://blog.haproxy.com/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/).
One could restrict by IP with the headers, however if it needs to be
locked down to that level half-way likely isn't worth it.
- Chad
