[Possible bug] only allow CF IP accessing website?

#1
Hello OLS,
Can someone tell me how to deal with this?

On ols conf, we had
accessControl
which can allow cloudflare ip, but in this case i had something like this

Code:
accessControl{
    allow                                   ALL, 2400:cb00::/32, 2606:4700::/32, 2803:f800::/32, 2405:b500::/32, 2405:8100::/32, 2a06:98c0::/29, 2c0f:f248::/32, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22
    deny                                   
}
With this, we allow all connection.
But i want it more... so my website can be more secure... as you know some hacker or someone who want our sites to be down. will be attacking the ip of the server instead going trough cloudflare... so if they hit it from it... they can....

The possible fix for this is move the all to deny... and make it only allowed by cf ip.
But here the problem. my website suddenly error when i do that... it's seems they really Deny anything even tough i already allow cf ip....
does ols had some fix for this?

i can't fix this from few days ago... and now if someone attack directly from ip.. well it literally dead.....
can anyone tell me how to block all visitor except cloudflare?

does my way above is wrong?
thanks
 

Cold-Egg

Administrator
#2
The easiest way should be
Adding `ALL` to the OLS Web Admin > Server configuration > Security > Access Control > Denied list. And empty the Allowed List.

Code:
accessControl  {
  deny                    ALL
}

And if you still need web admin access, please add your IP to the allow section.

Let us know if it works.
 
Last edited:
#3
The easiest way should be
Adding `ALL` to the OLS Web Admin > Server configuration > Security > Access Control > Denied list. And empty the Allowed List.

Code:
accessControl  {
  deny                    ALL
}

And if you still need web admin access, please add your IP to the allow section.

Let us know if it works.
sorry but maybe you miss understood what i mean


what i mean is to block all incoming traffic is they not come from cloudflare.
Example
you can access sites by bypassing cloudflare as long as you know the real ip of the vps right?
all i need to do for this problem is to reject all traffic except cloudflare

and i already do that Deny all....
and on allow list i put the cloudflare ip...

but the page still unaccessible.... i can't even load the sites....
they seems to be block ALL traffic even though i allow some of it....

can you somehow check it first?
and also alot of people on forum when i digging yesterday said the same problem.
we seems can't only allow cloudflare and reject all visitor that come not from cf....


i think this is important since alot of security throttling that not been on ols is present on cf
 
#5
Hi @dhanamerdeka,
Please just give my previous suggestion a try, it should work. I've tested it.
Bruh
Code:
accessControl  {
  deny                    ALL
}
if i deny all... all visitor include cloudflare is rejected....
i also turn on the real ip to 2 and input all cf ip on allow list.... and nothing works bro....
that's why i posting it on here... because it's not works.....

if i simply deny all... then
ALL request or visitor come from ANYTHING include CLOUDFLARE is blocked.... i already try this
 
#7
Cloudflare IPs are whitelisted by default after v1.7.13, see https://openlitespeed.org/release-log/version-1-7-x/. Feel free to join golitespeed community on Slack and message me @Eric from there.
hmmmm somehow we not walking anyone....

Maybe i should re-write my point here
what my problem is

i had example.com
with this example.com, i want anyone can access them trough cloudflare
so anyone who know my ip and want direct access bypassing cloudflare will be rejected by ols (because they not on allowed ip which is only cloudflare)

can i do that?
and is that the setting is all about?

just to make my point... when i deny ALL access with cloudflare IP on whitelist or not
booth of it i can't even access my sites, so that's why i asking in here deny ALL will make the sites unaccessible
i hope you not miss understood me....


btw, i using ols ver 1.7.16
 
Top