What did i whitelist for a CF LoadBalancer?

Hello,

We have a LoadBalancer and want to use it with multiple OVH VPS as a proxy.
I intend to secure the VPS with the firewall provided by OVH which allows to block connections before the routing and thus before they touch the VPS.

I was wondering if in order for the loadbalancer to access the machine and transfer the requests, all the IP ranges of Cloudflare must be accepted by the firewall ?
If this is not the case, does the LoadBalancer Spoof the requests sent with the original IP to the original servers?

Thanks in advance

Correct. You can find those at IP Ranges

Cloudflare includes the original ip as a header cf-connecting-ip
There’s also a guide for some common webservers, on how you can automatically have them use the ip that Cloudflare forwards https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

Hello @arunesh90 !

Thanks for your quick response

The problem is that the OVH VPS must first process the connections with the iptables firewall, and that strangely iptables sees the original IP and not the Cloudflare IPs, as if it was Spoof and not a header since iptables does not read them by default.

So I was thinking that if my iptables was reading the original IPs, maybe the OVH firewall was reading them too and I would be in trouble to allow only the traffic coming from the LoadBalancer.

Thanks in advance

Could be due to OVH firewall is reading the X-Forwarded-For header, which works very similar to CF-Connecting-IP header.

Hi @erictung,

Thanks for your response

It is iptables that currently reads the correct IPs and not the OVH firewall. But it is explained that iptables does not read headers such as X-Forwarded-For and Connecting-IP. That’s why I think it’s Spoof, otherwise I don’t understand how iptables can handle them.

Thanks.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.