0

I am using Clodflare DNS. I only want to allow certain IPs to access certain files.

How can I set up my lighttpd.conf to properly detect the correct IP? I know how to do it for the access.log. Is it possible to use $HTTP["remoteip"] together withsomething else?

This is how I do it today:

 $HTTP["remoteip"] == "xx.xx.xx.xx" {
    url.access-deny = ("")
}

I have tried with the following but it didnt work:

 $HTTP["remoteip"] =="*"{
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
 }
Kaah
  • 141
  • 7

2 Answers2

1

$HTTP["remoteip"] will never equal the string *, it will have a value representing the connecting IP address (some Cloudflare address in your case).

Having that condition in place means that the extforward settings inside are never applied, which would appear to be your problem.

As for extforward.forwarder = ( "all" => "trust"), this may not be a good idea if non-Cloudflare addresses can connect. Allowing anyone to specify the remote address in a header makes any kind of access checks based on IP trivial to circumvent.

Cloudflare do have some documentation on this as well.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • I managed to get it to work now. The Cloduflare setting example didnt work 100% for me. I will post my solution once I am able. – Kaah Jun 22 '14 at 21:50
0

The settings from the Cloudflare seem to give errors due to duplicate entries of IPs.

Here is the settings that works for me. I put them after server.modules { .. }:

$HTTP["remoteip"] == "199.27.128.0/21" {
extforward.forwarder = ( "all" => "trust" )
extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "173.245.48.0/20" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "103.21.244.0/22" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "103.22.200.0/22" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "103.31.4.0/22" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "141.101.64.0/18" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "108.162.192.0/18" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "190.93.240.0/20" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "188.114.96.0/20" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "197.234.240.0/22" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "198.41.128.0/17" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "162.158.0.0/15" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}
$HTTP["remoteip"] == "104.16.0.0/12" {
    extforward.forwarder = ( "all" => "trust" )
    extforward.headers = ("CF-Connecting-IP")
}

With this $HTTP["remoteip"] works fine.

Kaah
  • 141
  • 7