Allow http.x_forwarded_for matching list operation in firewall rules

I have a use case: reverse proxy a website behind cloudflare. at the same time I want to block some ips using cloudflare waf with rules list. however the ip address seen by cloudflare will always be my proxy server’s.

It would be great that allowing http.x_forwarded_for matching a rules list.

X-Forwarded-For is a non-standard (although very common) header, and you will need to create or modify it in your proxy server, and forward your value in the request out to Cloudflare. By convention it is a comma separated list of all the devices in the request path, with the client on the left hand side, but your proxy server can set it to anything you like, such as just the Client IP.

The Cloudflare firewall rules already have http.x_forwarded_for as a standard field.

1 Like

Yea, but i wanna something like this: http.x_forwarded_for in $blocked_ips