Join Log in
Score:0
anxiety avatar Server

HTTP 403 with CloudFlare

bg flag
anxiety

I've added my site to CloudFlare. I'm trying to allow requests to only come in through CloudFlare's network, and reject all others. When I add the following to my .htaccess, I get HTTP 403 Forbidden.

# Cloudflare Firewall Bypass Prevention
<RequireAll>
    Require all denied
    Require ip 103.21.244.0/22
    Require ip 103.22.200.0/22
    Require ip 103.31.4.0/22
    Require ip 104.16.0.0/13
    Require ip 104.24.0.0/14
    Require ip 108.162.192.0/18
    Require ip 131.0.72.0/22
    Require ip 141.101.64.0/18
    Require ip 162.158.0.0/15
    Require ip 172.64.0.0/13
    Require ip 173.245.48.0/20
    Require ip 188.114.96.0/20
    Require ip 190.93.240.0/20
    Require ip 197.234.240.0/22
    Require ip 198.41.128.0/17
    Require ip 2400:cb00::/32
    Require ip 2606:4700::/32
    Require ip 2803:f800::/32
    Require ip 2405:b500::/32
    Require ip 2405:8100::/32
    Require ip 2a06:98c0::/29
    Require ip 2c0f:f248::/32
</RequireAll>

The list of IPs comes directly from CloudFlare's IP ranges. In theory, CloudFlare acts as a reverse proxy for my server. Why aren't requests coming from CloudFlare? Any ideas on what I messed up, or how to fix it?

329
2 + 3
Tim avatar
gp flag
Tim
Does it work if you remove that code block? I do something similar, whitelisting only CloudFlare IP addresses and my private static IP, but I use AWS security groups rather than Apache.
0
Reply
anxiety avatar
bg flag
anxiety
Yes, when removing the .htaccess rules the site loads fine. When I only allow Cloudflare IPs, I get HTTP 403 Forbidden. For some reason, Cloudflare doesn't seem to be acting properly as a reverse proxy. I've contacted Cloudflare support, but they're extremely slow. I can't see anything in my Cloudflare settings that looks out of place. Any ideas?
0
Reply
Tim avatar
gp flag
Tim
CloudFlare is likely working fine, the problem is likely with your configuration. Try this answer: https://stackoverflow.com/questions/39884892/apache-2-4-whitelist-cloudflare-only
0
Reply
Score:0
avatar Server
kz flag
MrWhite 
<RequireAll>

Should be <RequireAny> or omitted altogether (since that is the default in the absence of any authorisation containers).

+ 2
anxiety avatar
bg flag
anxiety
I tried changing `RequireAll` to `RequireAny`, removing `RequireAll` entirely, and tried changing `Require ip` to `allow from`. I always get a 403 forbidden error. I believe the issue to be from Cloudflare, and the configuration there. Everything looks good, and it should be acting as a reverse proxy, but for some reason it's just not.
0
Reply
kz flag
MrWhite
@anxiety Did you check the IP addresses in your server's access log?
0
Reply
Score:0
anxiety avatar Server
bg flag
anxiety

Solved with a variation of Tom's reply (https://stackoverflow.com/questions/39884892/apache-2-4-whitelist-cloudflare-only)

mod_cloudflare is no longer supported, but you can easily achieve the same thing by using mod_remoteip

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.