Authentication for proxied IP

We use the “proxied” feature, but we want to filter the users by their IP address.
We can get the user IP address from the special headers - “x-forwarded-for” or “cf-connecting-ip”.

Now we have 2 questions:

  1. What is the different between they both?
  2. How can we authenticate that the message cames from Cloudflare’s system? (Everyone can use that headers with IP address that has priviligies)

Thank you

X-Forwarded-For includes the IP addresses of all proxies between the client and your server. There could be some other proxies before the traffic reaches Cloudflare. CF-Connecting-IP just shows the IP address as seen from the edge - the client/proxy IP address that communicates directly with Cloudflare.

It’s possible to spoof X-Forwarded-For header by anyone between client and Cloudflare, IP addresses might not be accurate. CF-Connecting-IP is inserted directly via Cloudflare - no one can modify it even using Transform Rules (unless you have another proxy after Cloudflare, which is another story).

2 Likes
  1. thank you.
  2. If someone has the IP address of my server and a reliable IP - he can send a request directly to my server with an header of a reliable IP. Therefore I ask for an authentication that the request cames really from Cloudflare.

There are several things you can do.

The most basic is to set a firewall on your Origin to only allow requests from Cloudflares IP ranges.

You can also enable Authenticated Origin Pull with customer certificates. This means that your webserver will only talk to Cloudflare, and only your Cloudflare account can talk to your Origin server.

No difference, they should be identical.

2 Likes

Excellent.
Where is the list of Cloudflares IP ranges?

cloudflare.com/ips/

2 Likes

Thank you very much

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.