CF-Connecting-IP

# allow cloudflare src ranges (https://www.cloudflare.com/ips-v4 + https://www.cloudflare.com/ips-v6)
acl is_cloudflare src -f /etc/cloudflare/ips-v4
acl is_cloudflare src -f /etc/cloudflare/ips-v6

# WORKAROUND: https://github.com/haproxy/haproxy/issues/90
acl is_cloudflare var(sess.cloudflare) -m found
http-request set-var(sess.cloudflare) always_true if { http_first_req } is_cloudflare

# deny cloudflare bypass
http-request deny if ! is_cloudflare

# set true source if cloudflare
http-request set-src hdr(cf-connecting-ip) if is_cloudflare

And for automatic and atomic updates of the file, I call wget from cron, save to temporary file and rename:

wget "https://www.cloudflare.com/ips-v4" -qO /etc/cloudflare/ips-v4.tmp && mv /etc/cloudflare/ips-v4.tmp /etc/cloudflare/ips-v4; wget "https://www.cloudflare.com/ips-v6" -qO /etc/cloudflare/ips-v6.tmp && mv /etc/cloudflare/ips-v6.tmp /etc/cloudflare/ips-v6

Originally from

and improved in: