@Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} !=
%{CONN_REMOTE_ADDR}":
I want to restrict access on some virtualhosts only because I want to use
some domain names without Cloudflare.
It looks like your previous solution with mod_rewrite is better in my case,
since Require does not work in virtualhosts (I got the error: "Require not
allowed in <VirtualHost> context").On Sat, 25 Apr 2020 at 13:10, baptx <baptx...@gmail.com> wrote: > I meant == instead of != like you corrected. > > > On Sat, 25 Apr 2020 at 13:08, baptx <baptx...@gmail.com> wrote: > >> Thanks Yann, it worked. >> >> I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in >> /etc/apache2/conf-available/remoteip.conf (from Cloudflare example: >> https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680 >> ). >> Then I just had to add this in the virtualhosts that I want to protect: >> RewriteEngine on >> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" >> RewriteRule ^ - [F] >> >> I tested the bypass like that in case someone is interested (the 4 >> commands should return a 403 Forbidden error): >> curl http://1.2.3.4 -H "Host: correct.tld" >> curl http://1.2.3.4 -H "Host: wrong.tld" >> curl -k https://1.2.3.4 -H "Host: correct.tld" >> curl -k https://1.2.3.4 -H "Host: wrong.tld" >> Where 1.2.3.4 should be replaced by your server IP address and >> correct.tld should be replaced by a correct domain name used by your server. >> The commands try to bypass the reverse proxy both for HTTP and HTTPS. >> They also try to guess if a domain name is used by the server, by sending a >> correct and wrong Host header. >> To prevent someone from finding which domain name is used by your IP >> address by looking at the 403 Forbidden error page, the virtualhost used by >> the IP address should not use the same 403 Forbidden error page as the >> domain name. >> >> Baptiste >> >> >> On Sat, 25 Apr 2020 at 00:24, Yann Ylavic <ylavic....@gmail.com> wrote: >> >>> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <ylavic....@gmail.com> >>> wrote: >>> > >>> > Hi, >>> > >>> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <baptx...@gmail.com> wrote: >>> > > >>> > > Is there a way to have the same functionality as the directive >>> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip? >>> > > I would like to block access to users who try to bypass Cloudflare >>> reverse proxy (e.g. accessing my web server directly by guessing the IP >>> address). It looks like iptables is not a solution since I still want to >>> host some websites without Cloudflare. >>> > >>> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like >>> this: >>> > >>> > RemoteIPHeader CF-Connecting-IP >>> > RemoteIPTrustedProxyList /path/to/proxies.list >>> > RewriteEngine on >>> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}" >>> >>> Err, this should be: >>> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}" >>> because mod_remoteip will change REMOTE_ADDR (to the value of the >>> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both >>> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy.. >>> >>> > RewriteRule ^ - [F] >>> > >>> > With "proxies.list" containing the same list as mod_cloudflare's ([1]). >>> > >>> > Hth, >>> > Yann. >>> > >>> > [1] >>> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44 >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> >>>
