Prevent visitors bypassing cloudflare

Hi

I have noticed some requests are bypassing cloudflare.

I have seen a post, from a few years ago, advising adding this to the htaccess file in order to prevent this happening.

RewriteEngine On
RewriteCond %{HTTP:CF-IPCountry} ^$
RewriteRule ^ - [F,L]

Is this still considered to be the best approach? I am on shared hosting so cannot use argo tunnel, authenticated origin pulls etc.

Do I need to substitute some values in the above code or just use it as is?

Thanks

John

1 Like

I believe the real ip header for Cloudflare is CF-Connecting-IP. So something like this should work:

RewriteEngine On

# block if request header CF-Connecting-IP doesn't exist
RewriteCond %{HTTP:CF-Connecting-IP} ^$
RewriteRule ^ - [F]

Quick Edit:

As everyone else has mentioned this is a poor way to try and block none cloudflare users

That may have been a post of mine from years ago. It’s not a very secretive way to do it since someone can fake that header.

Now a better option would be to use a Transform Rule to add a secret header:
https://developers.cloudflare.com/rules/transform/request-header-modification/examples#add-an-http-request-header-with-a-static-value

And then check for that in .htaccess instead of CF-Connecting-IP

3 Likes

No. As @sdayman will agree, its a bodge that should only be used as a last resort, and does not prevent visitors bypassing Cloudflare, and means your Origin server still has to process all the requests. Using a Transform Rule secret header is more reliable (as an attacker should not know the secret header)

Does your hosting provider allow you to create firewall rules? If so, have them deny all requests to your web server on ports 80 and 443 except when they come from Cloudflares IP Range. This has the benefit that your webserver never has to process attack traffic at all.

4 Likes

Thanks for your help Jake

Thanks for your help. I will try the transform rule method as you suggest.

Thank very much for your help. There are no firewall rules available for the server on the fastcomet Cpanel but I’ll ask their support dept if there is any chance they could do this for me.

Pretty sure the answer will be no though as its shared hosting. So the transform rule will probably be the way to go.

Can I please check? Is this what I need to do:-

I had never heard of a transform rule but I now understand what you mean. Much easier than using a worker.

Cloudflare just gets better and better

Everything up and running now.

Thanks again for your help

1 Like

Essentially yes. That blog was written before Transform Rules, so the worker element can be replaced with a Transform rule. The rest of the Apache config is the same.

cc. @floripare (Perhaps the blog could be updated to use a Transform Rule Request Header Modification?)

3 Likes

Thanks for the heads-up, @michael, I’ll update as soon as I can.

EDIT: The post on my blog has been updated. It links to the old post using Workers for those who may have used up all their Transform Rules with other stuff.

3 Likes