I have IPv4 addresses in my “allow” list for an admin url. sometimes they come in as IPv6
What steps have you taken to resolve the issue?
Truly I dont know what to do. I used to restrict access to admin url through htaccess.
Then we started using cloudflare and I am trying to make a custom rule that says if the address is
is not in the list then block it. It works some of the time, but then randomly starts blocking my
access. I looked into it and it is becasue sometimes I present an Ipv6 address, even though
What is my ip shows a IP v4 and a IPv6, and the IPv4 is in the allow list.
What feature, service or problem is this related to?
I don’t know
What are the steps to reproduce the issue?
Use
(http.request.uri.path wildcard r"/adminXYZ/*" and not ip.src in $adminips)
Then BLOCK and show default WA F block page (403)
At first sight, it might be the Wildcard issue here for the path
Can youj try to switch wildcard with contains?
May I ask if you’ve considered to restrict your “admin area” using Cloudflare Access? Way much better solution nowadays:
It’s easier for you and your colleagues to work like that, you can authenticate with a PIN code and using your e-mail, even restricting by country, etc., no need to add IP addresses nor create lists.
Below is an example for WordPress admin, same steps just you’d have to write a different path e.g. /administration/ instead of /wp-admin/ or wp.login.php:
Is the DNS record proxied ? Otherwise, the WAF wouldn’t apply.
Meaning, your local ISP provides both IPv4 and IPv6?
You’d have to list IPv6 as well, or allow the whole ASN (not great).
Go with Cloudflare Zero Trust and add your application example.com/adminXYZ then create an Acces policy where [email protected], [email protected], [email protected] are the only ones who’re allowed to access the Website once yuthenticated with a PIN code (or some other authentication method you choose and configure).
I have tried all permutations of wildcard, contains etc.
I will take a look at Cloudflare Access. I did not know of its existence. I will take a look at zero trust, access etc.
I don’t want my situation to be so deeply intertwined with cloudflare that I cannot easily tell where a problem is when a problem occurs. I want to be able to turn off cloudflare if necessary and still be functioning albeit more slowly and with less security.
You don’t connect from both an IPv6 and an IPv4 address at the same time. If you want to be able to connect when using an address v4 or v6 it needs to be in the allow list.
Hello All,
My testing seems to be behaving better today.
The way I was testing could be the issue.
What I did was
a) Allowed my network IP in the allowed ip list
b) Put my phone on the local network
c) Tried to log in from my phone. - but it did not work.the first time
d) Made some rapid changes - and I think this screwed it up.
e) Waited overnight and tried from my phone on the local network - and it worked.
f) Turned Off Wifi on my phone - and tried to log in and it still worked
g) Waited a while and took dog for a walk and then tried again and was blocked (as expected).
h) Tried the same tings at work (diff public ip) and it seems to work
So my theory is that sometimes I am testing again too fast
OR - something is being cached for a little while and I have to let it refresh.
and sometimes I present a ipv6 because I have not yet switched from Cell network to wifi.
Anyway - it seems to be working if I am patient. slow is smooth and smooth is fast.
Thanks very mcuh for you r help. I will still investigate the Cloudflare access.
Thanks
Sam
Hello
Its happening again.
I do not know why my home network presents a IPv6 to Cloudflare but an IPv4 to htaccess.
If I restrict admin access to certain ips using htaccess, I can do that using my ipv4.
If I do it using Custom Rules and an admin ip allow list (which is all IPV4 addresses), Cloudflare sometimes receives an IPV4 and Sometimes an IPV6.
Why is that?
It happens from my desktop and my phone.
I know Cloudflare access could be a good solution - but I have to learn that now. If someone could point me to some example of using cloudflare access to allow certain emails to get to a url, that would be wonderful. Also - these emails - are they allowed to put them in or should they be where their browser is logged in? Becasue they could be different emails.
Any way thansk in advance for your help. A little frustrated. So not understand why cloudflare gets IPv4s some of the time and IPV6 some of the time.
?