How to get Real Client IPs, but still only allow traffic from cloudflare?

yorich

yorich

New Member
#1
#1
I've got my allowed list in OLS set to allow all of cloudflare's CIDR blocks, but when I remove the "ALL" from the list and move it to deny, I get a 403 when accessing my page. This is due, I believe, to having "Use Client IP in header" set to "Trusted IP only". If I change Use Client IP in header to No, then only allowing traffic from Cloudflare's ranges works, but I can't see the real client IP in my logs then, only cloudflares proxy ips.

Is there a way to enforce both only allowing 443 access from cloudflare, as well as retaining client IP for logging? I'm getting a lot of hits on 443 direct that aren't coming through cloudflare, and I would prefer to have CF doing all my firewalling rather than me having to setup IPTABLES rules locally.

Thanks!
 
Cold-Egg

Cold-Egg

Administrator
#2
#2
To see the IP from the access log, you will need to use "Trusted IP only".
If this site is served by cloudflare, how did you get those hits directly to the original server?
 
sajetek_developer

sajetek_developer

New Member
#3
#3
This is a known conflict between useIpInProxyHeader and access control that catches a lot of people out. The short answer: keep Use Client IP in Header set to No and fix your log format instead.

When Trusted IP Only is enabled, OLS replaces the session IP with the value from CF-Connecting-IP before evaluating access control. So your deny ALL rule ends up checking real visitor IPs against your Cloudflare CIDR list and they're not in it, hence the 403.

With Use Client IP in Header = No, OLS evaluates access control against the actual TCP source (the Cloudflare IP), which is correctly in your allow list.

For real IP logging without changing that setting, update your access log format:

%{CF-Connecting-IP}i proxy: %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"

This logs the real visitor IP first, then the Cloudflare proxy IP. fail2ban can parse it and your deny ALL still works.

I wrote this up in more detail including the exact Cloudflare CIDRs and the access control setup: https://sajetekengineering.com/blog...-on-openlitespeed-without-getting-403-errors/
 
You must log in or register to reply here.
Top