Cloudfare Proxy and page rules

On our Magento 2 website, we have set up double authentification upon login to Magento. You have to use double authetification, unless you attempt to login from an approved Ip-address. This works as intended. However, after we activated Cloufare Proxy for our DNS (now deactivated again because of this issues), this makes the system unable to recognise that we visit magento from an approved IP address. Can i solve this problem in Cloudflare by setting up a page rule or something like this?

If you have Proxied (:orange:) records, my browser would first connect to Cloudflare, and then Cloudflare would be connecting to your web server:

Without Cloudflare, or with Unproxied (:grey:) / DNS-only records: Visitor ↔ Web server
With Proxied (:orange:) records: Visitor ↔ Cloudflare ↔ Web server

As such, your web server will see the IP address of Cloudflare, and not my IP address, which is also why you would need to use some of the various options for Restoring original visitor IPs, if you wanted to see my IP address in your logs (or other places), rather than the Cloudflare IP address.

Page Rules won’t have any effect on things like this (e.g. the IP address).

However, when using Proxied (:orange.) records, you could also maintain the list of approved IP addresses through Cloudflare, and that make sure that e.g. the Cloudflare’s WAF is making the IP-based restrictions before reaching your server.

1 Like

Hi. Thanks a lot for you answer.

I have set our IP to “allow” under WAF => IP access rules. Should i change or adjust any other WAF or security settings?

Based on the following sentence, this sounds to be the only thing you’ve done so far?

Via “Custom Rules”, I would suggest to look in to forcing a block of access to the specific parts of your site that you don’t wish “strangers” to be able to access.

Unless you add something to make sure that all that doesn’t match your allowed list is actually being blocked, I wouldn’t count on the WAF to work exactly as you expect.

One previous example I made, was for example this one:

https://dash.cloudflare.com/?to=/:account/:zone/security/waf/custom-rules

For the operator for e.g. “IP Source Address”, you can also select “is not in list”, which should work together with the lists you can create here:

https://dash.cloudflare.com/?to=/:account/configurations/lists