Access control ALLOW/DENY not working?

[chwba]

hello,
im using directadmin.
this is my httpd-accesscontrol.conf:

accessControl{
allow ALL, 4.3.2.1/24T, 1.2.3.4T
deny
}

these two ips are my personal ip and my ddos protection service, it seems it does not work, as i can still contact the server from other ips/ipranges than these.

 

[Pong]

Can you tell me what's your goal? Do you want to enable some CDN service to avoid connection drop?
or you want to visist some domain such as example.com only by your ip, no one else?
Or you want to whitelist your IP from recaptha security feature?

 

[chwba]

Protection against DDos. I want to achieve, that connections to the webserver are only possible through the defined ip ranges as explained in the description about it. https://www.litespeedtech.com/suppo...ed_wiki:config:show-real-ip-behind-cloudflare

 

[Pong]

The wiki shows you how to whitelist CloudFlare from connection drop but it doesn't block any connection from nonCloudFlare lips.


Try:
accessControl{
allow 4.3.2.1/24T, 1.2.3.4T
deny ALL
}

 

[chwba]

I tried setting it up like this, allowing all CloudFlare IPs and denying all others, it results in a cloudflare 520 error

 

[Pong]

It should not unless some misconfiguration. You can log a ticket with tmp root for us to check.

 

[krlabs]

It should not unless some misconfiguration. You can log a ticket with tmp root for us to check.

Can I block access to the server for all IPs except Cloudflare? My goal is to completely block attackers from accessing xttp://SERVER_IP

 

[LiteCache]

Can I block access to the server for all IPs except Cloudflare? My goal is to completely block attackers from accessing xttp://SERVER_IP

CloudFlare and every other CDN provider transmits the real client IP address. If your host is requested this means it is requested by a user and not by CloudFlare. Therefore you can't filter or block requests by CF because CF doesn't request your site. It is the user that requests it and not CloudFlare.

FYI: This forum doesn't allow to provide commercial solutions that can, what you asked for....

 

[krlabs]

CloudFlare and every other CDN provider transmits the real client IP address. If your host is requested this means it is requested by a user and not by CloudFlare. Therefore you can't filter or block requests by CF because CF doesn't request your site. It is the user that requests it and not CloudFlare.

FYI: This forum doesn't allow to provide commercial solutions that can, what you asked for....

I can block and successfully do so. I can even block you in order to demonstrate it in action)) Check out the Network settings in Cloudflare. There are many interesting things there, including the Trust IP header. Nothing is impossible.

 

[LiteCache]

@krlabs

As already said, if you want to block whatever IP, you must block the client IP and not the CF node IP, but this expects to configure CF to respect client IPs. But aware if you use CF caching!