CD
Cloudflare Developers3mo ago
shwalker

Smuggling CF CDN IP in headers as Hosting provider does not provide proxy URL

Hey, my hosting provider does not pass in headers IP of Cloudflare CDN server that made the request to the hosting. This limits my options to blocking non-CF traffic in hosting. I wanted to transform request custom header to add an CF IP into it and check on server as .htaccess (using Apache) Require ip does not work... How to define such rule? I started in https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-header-fields but don't know how to debug what values are even available. For now I use header transform rule that adds custom request header but it might leak and check hostname but it's non-strict as I belife it's spoofable.' Thanks
Cloudflare Docs
Fields reference · Cloudflare Ruleset Engine docs
The Cloudflare Rules language supports a range of field types:
3 Replies
Walshy
Walshy3mo ago
Yeah the CF provided ones are really the only ones you can trust Why does your host remove these headers? That sounds like something you should bring up with them Outside of that, your best bet is as random of a header name as you can do. Security through obscurity is by no means fool proof though. I'd work with your host to get the real headers.
shwalker
shwalker3mo ago
Any way to generate random values in header with a formula that I could also run in hosting to have kind of dynamic key?
shwalker
shwalker3mo ago
@Walshy | Deploying please take a look at similar issue https://community.cloudflare.com/t/no-connecting-ip-been-passed-in-server/319305/2 - I want to restrict access to Origin by .htaccess but Apache Require 2.4 rules do not work even if documented as such https://help.ovhcloud.com/csm/en-web-hosting-htaccess-ip-restriction?id=kb_article_view&sysparm_article=KB0052844 (my provider is OVH I've asked their support but it will take a while for a response, I will make sure to follow up here)
Tutorial - How do I block access to my website for certain IP addre...
Find out about the actions you can take via a .htaccess file to block access to your website for certain IP addresses
Want results from more Discord servers?
Add your server
More Posts
Accessing files in a workerLet's say I have files like this in a worker, the `data.json` file may not always be a JSON file (noHow to access R2 buckets with jurisdiction from CF Pages?Hi, I'm using Cloudflare Pages and R2 Buckets with Jurisdiction EU. I can access the buckets from WoCloudflare IPI am developing a new minecraft server, and I am in charge of figuring out the IP issues. As of righUncaught (in response) Error: The script will never generate a responseHi all, I get the below error when a WebSocket client gets **disconnected**: `✘ [ERROR] Uncaught (iZero Trust asking for me to specify plan againWhy is my zero trust dashboard asking for me to specify a plan again? I'm already on the free one.using Mongoose with cloudflare workers?hey all, i'm trying to create a worker that uses mongodb + mongoose alongside hono, i currently havecannot download 1.1.1.1 wrapwhat should i do here?Owning a domain as a minorHey, I am 14 and I was wondering if it's possible for me to legally own a domain. As far as I've loo