How to ensure that a request is really proxied by CloudFlare?

对着背影说爱祢 提交于 2021-02-19 05:21:04

问题


In one of projects we use CloudFlare and its cf-connecting-ip header to get a visitor IP address. But I'm not sure that the info can be fully trusted. For example, a bad user somehow had obtained real IP of our server, and connecting directly to it, putting fake IP address to the cf-connecting-ip header, and pretending that it was a legitimate CF-proxied request.

I examined headers for CF-proxied requests, and saw the cf-request-id header. But it's unique per a request, and I cannot see there any fixed secure key which I can use to verify that the request was legitimate.

How to ensure that a request was really proxied by CF?


回答1:


You may want to use the Authenticated Origin Pulls feature from Cloudflare:

Authenticated Origin Pulls let origin web servers strongly validate that a web request is coming from Cloudflare.
We use TLS client certificate authentication, a feature supported by most web servers, and present a Cloudflare certificate when establishing a connection between Cloudflare and the origin server.
By validating this certificate in origin server configuration, access can be limited to Cloudflare connections.

You will need to download the client certificate from Cloudflare and configure your webserver to enforce the certificate check.

The referenced page has instructions on how to set up client certificate in Apache and Nginx.



来源:https://stackoverflow.com/questions/63965194/how-to-ensure-that-a-request-is-really-proxied-by-cloudflare

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!