I meant == instead of != like you corrected.
On Sat, 25 Apr 2020 at 13:08, baptx <baptx...@gmail.com> wrote: > Thanks Yann, it worked. > > I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in > /etc/apache2/conf-available/remoteip.conf (from Cloudflare example: > https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680 > ). > Then I just had to add this in the virtualhosts that I want to protect: > RewriteEngine on > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" > RewriteRule ^ - [F] > > I tested the bypass like that in case someone is interested (the 4 > commands should return a 403 Forbidden error): > curl http://1.2.3.4 -H "Host: correct.tld" > curl http://1.2.3.4 -H "Host: wrong.tld" > curl -k https://1.2.3.4 -H "Host: correct.tld" > curl -k https://1.2.3.4 -H "Host: wrong.tld" > Where 1.2.3.4 should be replaced by your server IP address and correct.tld > should be replaced by a correct domain name used by your server. > The commands try to bypass the reverse proxy both for HTTP and HTTPS. They > also try to guess if a domain name is used by the server, by sending a > correct and wrong Host header. > To prevent someone from finding which domain name is used by your IP > address by looking at the 403 Forbidden error page, the virtualhost used by > the IP address should not use the same 403 Forbidden error page as the > domain name. > > Baptiste > > > On Sat, 25 Apr 2020 at 00:24, Yann Ylavic <ylavic....@gmail.com> wrote: > >> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <ylavic....@gmail.com> >> wrote: >> > >> > Hi, >> > >> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <baptx...@gmail.com> wrote: >> > > >> > > Is there a way to have the same functionality as the directive >> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip? >> > > I would like to block access to users who try to bypass Cloudflare >> reverse proxy (e.g. accessing my web server directly by guessing the IP >> address). It looks like iptables is not a solution since I still want to >> host some websites without Cloudflare. >> > >> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like >> this: >> > >> > RemoteIPHeader CF-Connecting-IP >> > RemoteIPTrustedProxyList /path/to/proxies.list >> > RewriteEngine on >> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" >> >> Err, this should be: >> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}" >> because mod_remoteip will change REMOTE_ADDR (to the value of the >> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both >> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy.. >> >> > RewriteRule ^ - [F] >> > >> > With "proxies.list" containing the same list as mod_cloudflare's ([1]). >> > >> > Hth, >> > Yann. >> > >> > [1] >> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44 >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >>
