i have enabled the IP to pass through Cloudflare in order to audit and track users.
so i cannot get the whitelist IP address option to work (or so i believe)
is there a header in Cloudflare that i can filter for in my ALB or NACL??
Cloudflare requests will always come from a defined range of IP addresses (documented here), and you can add those ranges to a security group on your AWS load balancer. This does not change the X-forwarded-For, CF-Connecting-IP or True-Client-IP headers you are already using to audit and track users.
You should also configure your Origin to ignore requests that do not match your host header (because somebody else could create a Cloudflare property and make requests to your load balancer)
Finally, you could configure Authenticated Origin Pulls.
There is no special header that cannot be spoofed by a random attacker.
when i added the IP range from Cloudflare to my security group
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| HTTPS | TCP | 443 | 173.245.48.0/20 | |
| HTTPS | TCP | 443 | 103.21.244.0/22 | |
| HTTPS | TCP | 443 | 103.22.200.0/22 | |
| HTTPS | TCP | 443 | 103.31.4.0/22 | |
| HTTPS | TCP | 443 | 141.101.64.0/18 | |
| HTTPS | TCP | 443 | 108.162.192.0/18 | |
| HTTPS | TCP | 443 | 190.93.240.0/20 | |
| HTTPS | TCP | 443 | 188.114.96.0/20 | |
| HTTPS | TCP | 443 | 197.234.240.0/22 | |
| HTTPS | TCP | 443 | 198.41.128.0/17 | |
| HTTPS | TCP | 443 | 162.158.0.0/15 | |
| HTTPS | TCP | 443 | 104.16.0.0/12 | |
| HTTPS | TCP | 443 | 172.64.0.0/13 | |
| HTTPS | TCP | 443 | 131.0.72.0/22 |
all of my requests timed out
however when appended my desktop IP address to this list
it worked
so something in my Cloudflare configuration is passing through my ip address
i have ‘flatten cname at root’ configured
i cannot do auth origin pull because i have not seen any docs for doing this on IIS
True-Client-IP Header is on
You can create a request header (edge > origin, invisible to visitors) using Cloudflare Workers:
Though the suggestion above is meant to help folks on shared hosting, I believe you could also use a secret header to block requests at the origin firewall level if you have access to configuring it.
This topic was automatically closed after 30 days. New replies are no longer allowed.