How to add local network to trusted IPs using cloudflare apache module?


#1

Hello,

My first post. So the stress of sounding like a complete noob is real lol!

I have an apache 2.4 server running fine in a freenas jail. The cloudflare module is added and loaded. I am able to successfully use the DenyAllButCloudFlare directive but for some reason unable to add my local network to trusted/allowed IPs. I tried the following right above the DenyAllButCloudFlare line and both simply at the bottom of the httpd.conf file.

CloudflareRemoteIPTrustedProxy 192.168.1.
also
CloudflareRemoteIPTrustedProxy 192.168.1.0/16

No luck with either.

Any thoughts on this?


#2

Did you try to add your subnet to /etc/apache2/mods-enabled/cloudflare.conf file just after Cloudflare subnets (in the same line)?


#3

@komarEX

I am not sure I have cloudflare.conf file anywhere…I am guessing the path you mentioned is in linux systems. Since I am using FreeNAS (FreeBSD derivative), I checked these paths:

/usr/local/etc/apache24/extra
/usr/local/etc/apache24/modules.d

I did a search for ‘cloudflare.conf’ in the system and could not find one. I guess the module I installed does not automatically come with a .conf file to work with…Thoughts on this? I suppose I can manually include it but not sure where to get it from.


#4

Where did you get from your cloudflare module for apache2?


#5

I installed using pkg shell command: ‘pkg install ap24-mod_cloudflare’


#6

Just to take a step back a moment here - what issue are you trying to solve by placing this instruction in your Apache configuration?

To explain a bit - the CloudflareRemoteIPTrustedProxy directive instructs the mod_cloudflare Apache module to trust the visitor IP headers supplied from the IPs you specify in the directive.

This is to ensure Apache logs (and applications running on Apache) receive the real visitor IP. It does not do anything more (or less) than that.

So if you’re trying to solve a different problem can you clarify and we can probably advise you differently.


#7

@simon

I am trying to have my apache server to only accept traffic coming from CloudFlare and my local network…So all other traffic should be denied. I was using allow and deny directives (denying all but allowing specific IPs) to allow Cloudflare’s IPs and my local network IPs. I then found out about using the CloudFlare module instead of specific IPs so decided to go with it – I assumed that this way I do not have to add and manually maintain those allowed IPs list (and sure, to also get visitors’ real IP). To my surprise, the cloudflare module’s ‘DenyAllButCloudFlare’ is preventing local network traffic, not just remote connections. Not sure why that is, but I would to find a way to keep using the module but continue to allow local network traffic. The little bit of googling and forums digging led to believe that using ‘CloudFlareRemoteTrustedProxy’ can accomplish this but I am not sure about that.


#8

No one knows :cry:


#9

@saeed ah thanks for clarifying. You’re correct - if you configure the CloudflareRemoteIPTrustedProxy directive for the local IPs that need to talk to your Apache instance and then enable the DenyAllButCloudFlare directive this will serve a HTTP 403 to the client.

When you say it doesn’t work, can you clarify what behaviour you see? What HTTP response is returned to those IPs that are whitelisted… what is seen in the apache access / error log?


#10

@simon Here is my log file: httpd-access.log

The log file shows a bunch of HTTP 403 given to the white-listed IPs. I have the following in my httpd.conf:

<IfModule cloudflare_module>
CloudFlareRemoteIPHeader X-Forwarded-For
CloudFlareRemoteIPTrustedProxy 127.0.0.1
CloudFlareRemoteIPTrustedProxy 192.168.1.111
DenyAllButCloudFlare
</IfModule>

The behavior that I would like to have is to allow the whitelisted IPs.


#11

Can you try a cURL from one of those IPs while it is enabled? Are you 100% sure that configuration is being applied to the virtualhost you are seeing those logs from?


#12

@simon I tried cURL and it fetched the 403 error page. The exact output here

Well, I am not using the configuration in any particular virtualhost. I have those lines written at the bottom of the httpd.conf file and I know that it is applied because if I comment the DenyAllButCloudFlare and restart Apache, all access from any IP address will be restored and functional. If it helps, here is my httpd.conf for your review. I replaced couple things in the file with Xs for privacy purposes.


#13

:cry:


#14

So given this configuration:

<IfModule cloudflare_module>
CloudFlareRemoteIPHeader X-Forwarded-For
CloudFlareRemoteIPTrustedProxy 127.0.0.1
CloudFlareRemoteIPTrustedProxy 192.168.1.111
DenyAllButCloudFlare
</IfModule>

What you’re saying is that when either 127.0.0.1 or 192.168.1.111 connect then they will supply an X-Forwarded-For header containing a trusted IP.

I suspect the 403s you are seeing for 127.0.0.1 for example, X-Forwarded-For is either not supplied or does not contain 127.0.0.1.


#15

@simon Wait. Are you saying that I need to somehow modify local requests by adding an X-Forwarded-For headers containing my trusted local IPs?? How can I do that?


#16

mod_cloudflare is primarily designed for the restoration of visitor IPs from trusted proxies - as such I’m not sure it’s really suitable for your use case as it sounds like those local services aren’t proxies.

If you want to control access to your origin I’d recommend you use a full Network firewall (such as iptables) for that, and use mod_cloudflare just to do the visitor IP restoration for Cloudflare.


#17

Ah ok. I guess I will stop using the DenyAllButCloudFlare then and use the module only to restore visitors’ IP.


#18

Great - I think that should get everything working for you.