Using access control

[tth]

Hello Everyone,

I am using Litespeed and Cloudflare as a CDN plus proxy for a website.
I want set a restriction at my server level so that server will only accept request come through Cloudflare and deny all.

How can I do this.

I tried using access control feature of litespeed.
But if I enable this, site and cpanel stats program not able to identify visitor actual IP (client ip in header).

How can I fix this. Thank in advance.

 

[NiteWave]

I tried using access control feature of litespeed.

can you be more specific about "access control feature of litespeed"?

here's link about how to have litespeed work with cloudflare:
https://support.cloudflare.com/hc/e...-original-visitor-IP-with-a-LiteSpeed-server-

 

[tth]

can you be more specific about "access control feature of litespeed"?

here's link about how to have litespeed work with cloudflare:
https://support.cloudflare.com/hc/e...-original-visitor-IP-with-a-LiteSpeed-server-

I enabled Client IP in Header in Configuration.
And added cloudflare IP's "Allowed List" and put "ALL" in "Denied List".
Now tried browsing site, I received error- "The requested resource could not be loaded because the server returned an error:
403 Forbidden (?)."

 

[NiteWave]

And added cloudflare IP's "Allowed List" and put "ALL" in "Denied List".

can you post the detail info here?
maybe need put a trailing T to cloudflare's IPs

 

[tth]

can you post the detail info here?
maybe need put a trailing T to cloudflare's IPs

I added IP's in allowed list as below-

199.27.128.0/21
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32

Is this correct format?

 

[NiteWave]

put a trailing T to cloudflare's IPs

so:

199.27.128.0/21T
173.245.48.0/20T
103.21.244.0/22T
103.22.200.0/22T
103.31.4.0/22T
141.101.64.0/18T
108.162.192.0/18T
190.93.240.0/20T
188.114.96.0/20T
197.234.240.0/22T
198.41.128.0/17T
162.158.0.0/15T
104.16.0.0/12T
2400:cb00::/32T
2606:4700::/32T
2803:f800::/32T
2405:b500::/32T
2405:8100::/32T

 

[tth]

so:

199.27.128.0/21T
173.245.48.0/20T
103.21.244.0/22T
103.22.200.0/22T
103.31.4.0/22T
141.101.64.0/18T
108.162.192.0/18T
190.93.240.0/20T
188.114.96.0/20T
197.234.240.0/22T
198.41.128.0/17T
162.158.0.0/15T
104.16.0.0/12T
2400:cb00::/32T
2606:4700::/32T
2803:f800::/32T
2405:b500::/32T
2405:8100::/32T

Still same 403 Forbidden error.

 

[NiteWave]

I mimic above rules on local litespeed box, looks working -- if the 1.2.3.4T is allow list, even deny list is ALL, still can access from 1.2.3.4T

so if you remove ALL from "Denied List", there should be no "403 Forbidden" ?

and can you test on a simple static page, like /readme.html ?
also be noted,
127.0.0.1T and your server's IP may need put in Allowed List (with trailing T) as well -- some scripts on the server may need access 127.0.0.1:2083 etc.

 

[tth]

I mimic above rules on local litespeed box, looks working -- if the 1.2.3.4T is allow list, even deny list is ALL, still can access from 1.2.3.4T

so if you remove ALL from "Denied List", there should be no "403 Forbidden" ?

and can you test on a simple static page, like /readme.html ?
also be noted,
127.0.0.1T and your server's IP may need put in Allowed List (with trailing T) as well -- some scripts on the server may need access 127.0.0.1:2083 etc.

I did all change you suggested, and tested with .txt file.
But still same.

It only work if I choose "Trusted IP Only" from "client IP header option". But this way, cpanel and other stats program only identify cloudflare IP as visitor IP.

 

[NiteWave]

Hi, I think I've just got the whole picture of this case.

the best solution should be:
1.
lsws web admin -> Server -> General -> Use Client IP in Header:Yes

2.
lsws web admin -> Server -> Security -> Access Control, revert back to default settings
e.g,,
Allowed List: ALL
Denied List: (Not Set)

3.on OS firewall level, implement:
"server will only accept request come through Cloudflare and deny all."
this is easy for iptables to do it.

 

[tropicalserver]

Hello

In your WIKI you include the "ALL" settings + the Cloudflare IPs list:

https://www.litespeedtech.com/suppo...ed_wiki:config:show-real-ip-behind-cloudflare

Why are including the ALL settings? Is a typo? Has no sense include all IPS and after adding the Cloudflare IPs...

Thanks

 

[NiteWave]

ALL is required.

ALL, 103.21.244.0/22T,

cloudflare IP with an trailing "T", this is the difference.
T means trusted IP, it will not be blocked by web server even if it's established many connections which has exceed the limit.
the limit is defined in "Per Client Throttling" -- https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mitigating-ddos-attacks

 

[tropicalserver]

Ok, I understand it now

Thanks