Apache, blocking direct requests that bypass Cloudflare when using mod_remoteip

Hi there,

This might be an unusual one. I’ve figures out how to block Apache requests that come direct, rather than via Cloudflare. I’ve also figured out how to restore the visitor’s original IP address in the Apache access logs. What I can’t figure out, is how to do both of these things at the same time.

Example, restoring visitors IP address in the Apache access log:

  1. Enable mod_remoteip

  2. Add “RemoteIPHeader X-Forwarded-For” to the Apache configuration

  3. Change the Apache log format, substituting %h for %a

Example, blocking direct requests that bypass Cloudflare:

  1. Modify Apache configuration for a particular site:
<Directory /var/html/website/public>
Order deny,allow
Deny from all
Allow from 173.245.48.0/20
# More Cloudflare IP ranges go here
</Directory>

Both of the examples above work OK, but don’t play nice together. This is because the “Allow from” in the second example is no longer being matched, because Apache is back to having the user’s original IP address, rather than Cloudflare’s IP address.

I’m hoping there is a simple way of bringing both solutions together. Could anyone advise?

Many thanks

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.