Hi there, I’ve googled and searched here but haven’t found this specific issue.
I’m trying to :
- whitelist an EC2 instance to only listen to requests coming from cloudflare
- set up zone lockdown on cloudflare to whitelist specific IP addresses to the url of that EC2 instance.
EC2 instance has an app running on port 80
DNS entry for that url/ec2 instance IP is orange cloud
SSL is set to flexible
In order to hit the app, I have to have:
- my IP address in the zone lockdown rule; AND
- my IP address in the AWS security group the ec2 instance is in (allow port 80 from my ip); AND
- cloudflare IPs in the security group allow
- cloudflare IPs in security group
- my IP in cloudflare zone lockdown rule - only.
I do see a hit to 80, a 301, then a hit to 443 (in the browser)
I’ve trial/errored this a bunch, but hoping someone point me in the right directly. I have a feeling it’s the flexible ssl 80/443 setup that’s causing the security group to see both my ip and the cloudflare ip, but I can’t for the life of me understand how two IP addresses are required in the SG along with presence in the zone lockdown. would love to understand the order of operations