On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <ylavic....@gmail.com> wrote: > > Hi, > > On Fri, Apr 24, 2020 at 10:49 PM bapt x <baptx...@gmail.com> wrote: > > > > Is there a way to have the same functionality as the directive > > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip? > > I would like to block access to users who try to bypass Cloudflare reverse > > proxy (e.g. accessing my web server directly by guessing the IP address). > > It looks like iptables is not a solution since I still want to host some > > websites without Cloudflare. > > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this: > > RemoteIPHeader CF-Connecting-IP > RemoteIPTrustedProxyList /path/to/proxies.list > RewriteEngine on > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
Err, this should be: RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}" because mod_remoteip will change REMOTE_ADDR (to the value of the header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both are equal it means that CONN_REMOTE_ADDR is not a trusted proxy.. > RewriteRule ^ - [F] > > With "proxies.list" containing the same list as mod_cloudflare's ([1]). > > Hth, > Yann. > > [1] > https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org