Home CentMinMod Getting real IP in Nginx when behind cloudflare Haproxy

Getting real IP in Nginx when behind cloudflare Haproxy

Create a file named cloudflare_ips.ls and in that add all the cloudflare IP’s

vi /etc/haproxy/cloudflare_ips.ls
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32

Now in your haproxy configuration add

acl from_cf    src -f /etc/haproxy/cloudflare_ips.lst
http-request set-src req.hdr(CF-Connecting-IP) if from_cf

So your configuration will look like

frontend https
   mode http
   bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1


   option forwardfor

    http-request track-sc0 src table per_ip_rates
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }

    acl from_cf    src -f /etc/haproxy/cloudflare_ips.lst
    http-request set-src req.hdr(CF-Connecting-IP) if from_cf

   default_backend app-main

This was haproxy will record real IP of user and send it to nginx.

Must Read