Hello guys.
I have an HAproxy in pfsense working with several front-end. Everything working. I also have SSL running on Cloudflare.
there was a need to limit a frontend to some specific ips.
As I understand it, cloudflare proxy requests and in HAproxy I only receive the Cloudflare range. Looking at the documentation I saw that it is possible to get the client’s IP using the “CF-Connecting-IP” method but I have no idea how to get it.
Can anybody help me ?
# allow cloudflare src ranges (https://www.cloudflare.com/ips-v4 + https://www.cloudflare.com/ips-v6)
acl is_cloudflare src -f /etc/cloudflare/ips-v4
acl is_cloudflare src -f /etc/cloudflare/ips-v6
# WORKAROUND: https://github.com/haproxy/haproxy/issues/90
acl is_cloudflare var(sess.cloudflare) -m found
http-request set-var(sess.cloudflare) always_true if { http_first_req } is_cloudflare
# deny cloudflare bypass
http-request deny if ! is_cloudflare
# set true source if cloudflare
http-request set-src hdr(cf-connecting-ip) if is_cloudflare
And for automatic and atomic updates of the file, I call wget from cron, save to temporary file and rename:
wget "https://www.cloudflare.com/ips-v4" -qO /etc/cloudflare/ips-v4.tmp && mv /etc/cloudflare/ips-v4.tmp /etc/cloudflare/ips-v4; wget "https://www.cloudflare.com/ips-v6" -qO /etc/cloudflare/ips-v6.tmp && mv /etc/cloudflare/ips-v6.tmp /etc/cloudflare/ips-v6
Originally from
and improved in: