HAProxy community

Block original client ip instead of Clouldflare source ip

We have a haproxy behind the cloudflare, below is our haproxy’s access log

Jun 14 18:09:29 localhost haproxy[69672]: 172.68.253.118:35540 10.50.0.105:80 565 1442 200 GET /json/alert/alert_message.json?_=1560417328974 HTTP/1.1 app main 10.50.0.101 uat123-technology.com Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 21.25.23.35 https://uat123.technology.com/user/login nginx -\

We would like to block the original client ip which is 21.25.23.35 by acl instead of Clouldflare source ip 172.68.253.118, how to archive it, thank you very much!

Following is our haproxy configuration, it works when the haproxy is first tier, but behind Cloudflare it doesn’t work.
acl imip src -f /etc/haproxy/im.zone
acl isip src -f /etc/haproxy/is.zone
acl itip src -f /etc/haproxy/it.zone
acl noip src -f /etc/haproxy/no.zone
acl ptip src -f /etc/haproxy/pt.zone
acl seip src -f /etc/haproxy/se.zone
acl twip src -f /etc/haproxy/tw.zone
acl usip src -f /etc/haproxy/us.zone
acl whitelist src -f /etc/haproxy/white_ip_list
acl blacklist src -f /etc/haproxy/black_ip_list
acl all src 0.0.0.0/0
use_backend app if whitelist
use_backend region if blacklist OR deip OR esip OR frip OR gbip OR hkip OR ieip OR imip OR isip OR itip OR noip OR ptip OR seip OR twip OR usip
use_backend app if all

CloudFlare exposes for each request two headers:

  • CF-Connecting-IP – the original client IP, the one you are looking for;
  • CF-IPCountry – the country where the request originated from (which might be useful to filter by if you need country-based filtering as it seems you are);

Therefore you can replace your ACL’s with acl whatever req.fhdr_cnt(CF-Connecting-IP,-1) -f /etc/...

Or even better acl whatever [req.fhdr(CF-IPCountry,-1) US UK DE ...

I use the CF-IPCountry for the country filtering, it works very well, thank you very much.