Smuggling CF CDN IP in headers as Hosting provider does not provide proxy URL
Hey,
my hosting provider does not pass in headers IP of Cloudflare CDN server that made the request to the hosting. This limits my options to blocking non-CF traffic in hosting.
I wanted to transform request custom header to add an CF IP into it and check on server as
.htaccess (using Apache) Require ip does not work... How to define such rule?
I started in https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-header-fields but don't know how to debug what values are even available.
For now I use header transform rule that adds custom request header but it might leak and check hostname but it's non-strict as I belife it's spoofable.'
ThanksCloudflare Docs
Fields reference · Cloudflare Ruleset Engine docs
The Cloudflare Rules language supports a range of field types:
3 Replies
Yeah the CF provided ones are really the only ones you can trust
Why does your host remove these headers? That sounds like something you should bring up with them
Outside of that, your best bet is as random of a header name as you can do. Security through obscurity is by no means fool proof though. I'd work with your host to get the real headers.
Any way to generate random values in header with a formula that I could also run in hosting to have kind of dynamic key?
@Walshy | Deploying please take a look at similar issue https://community.cloudflare.com/t/no-connecting-ip-been-passed-in-server/319305/2 - I want to restrict access to Origin by .htaccess but Apache Require 2.4 rules do not work even if documented as such https://help.ovhcloud.com/csm/en-web-hosting-htaccess-ip-restriction?id=kb_article_view&sysparm_article=KB0052844 (my provider is OVH I've asked their support but it will take a while for a response, I will make sure to follow up here)
Tutorial - How do I block access to my website for certain IP addre...
Find out about the actions you can take via a .htaccess file to block access to your website for certain IP addresses