2

I want to allow people to access my page from specified IP. However, I am behind Cloudflare. The only way to get user IP is from X-Forwarded-For header. But I cannot trust X-Forwarded-For, because people can bypass Cloudflare and directly access my server IP (assume they can luckily guess my server IP).

So, I want to allow list of specific X-Forwarded-For IPs which are from Cloudflare. I know the list of IP from Cloudflare. Here is what I got so far. Is it right?

SetEnvIF X-Forwarded-For "x.x.x.x" AllowIP

<RequireAny>

    <RequireAll>

        <RequireAny>
            Require ip 199.27.128.0/21
            Require ip 173.245.48.0/20
            Require ip 103.21.244.0/22
            Require ip 103.22.200.0/22
            Require ip 103.31.4.0/22
            Require ip 141.101.64.0/18
            Require ip 108.162.192.0/18
            Require ip 190.93.240.0/20
            Require ip 188.114.96.0/20
            Require ip 197.234.240.0/22
            Require ip 198.41.128.0/17
            Require ip 162.158.0.0/15
            Require ip 104.16.0.0/12
            Require ip 172.64.0.0/13
        </RequireAny>

        Require env AllowIP
    </RequireAll>

    Require ip 127.0.0.1
</RequireAny>

One more thing. How can I allow LIST OF X-Forward-For IP instead of only one specified IP.

Question Summary

  • Is my .htaccess right and secure?
  • How to allow list of IP instead of specified IP from X-Forwarded-For.
Improve this question

1 Answer 1

Reset to default
1

How to allow list of IP instead of specified IP from X-Forward-For.

You can have multiple SetEnvIf directives. (?)

Note that x.x.x.x is a regex, so you could express this as (1\.1\.1\.1|2\.2\.2\.2|3\.3\.3\.3) if there are just a few IP addresses. (Remember to escape the dots.)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .