I want to allow people to access my page from specified IP. However, I am behind Cloudflare. The only way to get user IP is from X-Forwarded-For
header. But I cannot trust X-Forwarded-For
, because people can bypass Cloudflare and directly access my server IP (assume they can luckily guess my server IP).
So, I want to allow list of specific X-Forwarded-For
IPs which are from Cloudflare. I know the list of IP from Cloudflare. Here is what I got so far. Is it right?
SetEnvIF X-Forwarded-For "x.x.x.x" AllowIP
<RequireAny>
<RequireAll>
<RequireAny>
Require ip 199.27.128.0/21
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
</RequireAny>
Require env AllowIP
</RequireAll>
Require ip 127.0.0.1
</RequireAny>
One more thing. How can I allow LIST OF X-Forward-For
IP instead of only one specified IP.
Question Summary
- Is my
.htaccess
right and secure? - How to allow list of IP instead of specified IP from
X-Forwarded-For
.