I read that as of v5.4.9, Cf's IPs are trusted by default, so how do I block traffic that doesn't come from them?
In
and this:
I've also tried both wrapped in a
Also tried the Access Control lists in the config manager GUI, even though you advise not to. It kills the whole site because every request gets a
If it's not as I suspect, then why is this simple
I get
The normal rules are blocking either everything or nothing at all, so how do I limit traffic to only that which comes from Cloudflare?
In
.htaccess
, I've tried this:
Apache config:
Require all denied
Require ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
Apache config:
Order Allow,Deny
Allow from 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
<RequireAny>
tag.Also tried the Access Control lists in the config manager GUI, even though you advise not to. It kills the whole site because every request gets a
403
response, but I can see in my browser's dev tools that the request is definitely going through Cloudflare. It's behaving as though Litespeed trusts Cloudflare, thus sets the remote address of the request to my real IP (based on the header Cloudflare sets) but then that real IP doesn't match the Cf IP ranges I've set, so the request is blocked.If it's not as I suspect, then why is this simple
Require ip
rule failing? I've also tried it without the Require all denied
which doesn't get denied through Cf, but nor is it denied when I force a direct request to the server from the command line using cURL, e.g.:
Bash:
curl --resolve myhost.example:443:11.22.33.44 https://myhost.example/real-page --dump-header - | less
200
.The normal rules are blocking either everything or nothing at all, so how do I limit traffic to only that which comes from Cloudflare?