Haproxy Real IP + Cloudflare

S

4

9

I just can't seem to get this done. I'm still seeing cloudflare IPs in my log. Currently, I have a loadbalancer which is behind Cloudflare.

Currently, here's the block related to forwardfor:

    option          forwardfor except 127.0.0.1
option          forwardfor except 204.93.240.0/24
option          forwardfor except 204.93.177.0/24
option          forwardfor except 199.27.128.0/21
option          forwardfor except 173.245.48.0/20
option          forwardfor except 103.22.200.0/22
option          forwardfor except 141.101.64.0/18
option          forwardfor except 108.162.192.0/18
    option          forwardfor header X-Real-IP
    reqadd          X-Forwarded-Proto:\ http

Does anybody have an idea for the correct config to get real IPs from Cloudflare? Or maybe an equivalent of nginx's set_real_ip_from cloudflareIP and/or real_ip_header CF-Connecting-IP to haproxy? Thanks.

Staal answered 1/4, 2013 at 2:45 Comment(0)

B

11

You do it this way:

Create a text file cloudflare_ips.lst containing all IP ranges from https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6
Make sore you do not enable option forwardfor in HaProxy

HaProxy config:

acl from_cf    src -f /path/to/cloudflare_ips.lst
acl cf_ip_hdr  req.hdr(CF-Connecting-IP) -m found

http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr

Be careful when testing, because of KeepAlive you may need to use a new browser/tab every time.

Beller answered 11/9, 2018 at 7:57 Comment(0)

C

3

What you are looking for is:

http-request add-header X_FORWARDED_FOR %[req.hdr(CF-Connecting-IP)]

This will add the correct cloudflare source IP. If you do nothing then you end up with both headers for src address and the cloudflare address.

Comedown answered 22/8, 2016 at 22:8 Comment(0)

L

2

Simple and the best solution, for my opinion.

Create the file with CloudFlare ip's with name /etc/haproxy/cf-ips/cf-ips for example, and add strings to the config:

  acl from_cf src -f /etc/haproxy/cf-ips/cf-ips
  http-request set-src req.hdr(CF-Connecting-IP) if from_cf

Information from this blog post

Logway answered 29/10, 2021 at 4:22 Comment(0)

M

1

You should actually just do nothing at all. The problem is you are trying to insert a forwardfor except for the difficult to manage list of cloudflare IPs but all your traffic is coming from cloudflare anyway.

Just take out any forwardfor options and the cloudflare header will persist through haproxy.

If you must do something like you are trying make sure to add "option httpclose" to make sure it's always doing it.

Matrass answered 21/2, 2014 at 9:1 Comment(1)

all your traffic is coming from cloudflare anyway - how can you trust all the traffic is coming from Cloudflare in this case? What would stop someone using a hosts file (for example) to bypass Cloudflare? – Baillie 22/3, 2021 at 15:32

Recommended topics

Hot tags