Hello guys.

I have an HAproxy in pfsense working with several front-end. Everything working. I also have SSL running on Cloudflare.

there was a need to limit a frontend to some specific ips.

As I understand it, cloudflare proxy requests and in HAproxy I only receive the Cloudflare range. Looking at the documentation I saw that it is possible to get the client’s IP using the “CF-Connecting-IP” method but I have no idea how to get it.

Can anybody help me ?

# allow cloudflare src ranges ( +
acl is_cloudflare src -f /etc/cloudflare/ips-v4
acl is_cloudflare src -f /etc/cloudflare/ips-v6

acl is_cloudflare var(sess.cloudflare) -m found
http-request set-var(sess.cloudflare) always_true if { http_first_req } is_cloudflare

# deny cloudflare bypass
http-request deny if ! is_cloudflare

# set true source if cloudflare
http-request set-src hdr(cf-connecting-ip) if is_cloudflare

And for automatic and atomic updates of the file, I call wget from cron, save to temporary file and rename:

wget "" -qO /etc/cloudflare/ips-v4.tmp && mv /etc/cloudflare/ips-v4.tmp /etc/cloudflare/ips-v4; wget "" -qO /etc/cloudflare/ips-v6.tmp && mv /etc/cloudflare/ips-v6.tmp /etc/cloudflare/ips-v6

Originally from

and improved in: