0

I've added my site to CloudFlare. I'm trying to allow requests to only come in through CloudFlare's network, and reject all others. When I add the following to my .htaccess, I get HTTP 403 Forbidden.

# Cloudflare Firewall Bypass Prevention
<RequireAll>
    Require all denied
    Require ip 103.21.244.0/22
    Require ip 103.22.200.0/22
    Require ip 103.31.4.0/22
    Require ip 104.16.0.0/13
    Require ip 104.24.0.0/14
    Require ip 108.162.192.0/18
    Require ip 131.0.72.0/22
    Require ip 141.101.64.0/18
    Require ip 162.158.0.0/15
    Require ip 172.64.0.0/13
    Require ip 173.245.48.0/20
    Require ip 188.114.96.0/20
    Require ip 190.93.240.0/20
    Require ip 197.234.240.0/22
    Require ip 198.41.128.0/17
    Require ip 2400:cb00::/32
    Require ip 2606:4700::/32
    Require ip 2803:f800::/32
    Require ip 2405:b500::/32
    Require ip 2405:8100::/32
    Require ip 2a06:98c0::/29
    Require ip 2c0f:f248::/32
</RequireAll>

The list of IPs comes directly from CloudFlare's IP ranges. In theory, CloudFlare acts as a reverse proxy for my server. Why aren't requests coming from CloudFlare? Any ideas on what I messed up, or how to fix it?

anxiety
  • 3
  • 3
  • Does it work if you remove that code block? I do something similar, whitelisting only CloudFlare IP addresses and my private static IP, but I use AWS security groups rather than Apache. – Tim Jan 08 '23 at 06:09
  • Yes, when removing the .htaccess rules the site loads fine. When I only allow Cloudflare IPs, I get HTTP 403 Forbidden. For some reason, Cloudflare doesn't seem to be acting properly as a reverse proxy. I've contacted Cloudflare support, but they're extremely slow. I can't see anything in my Cloudflare settings that looks out of place. Any ideas? – anxiety Jan 08 '23 at 06:55
  • CloudFlare is likely working fine, the problem is likely with your configuration. Try this answer: https://stackoverflow.com/questions/39884892/apache-2-4-whitelist-cloudflare-only – Tim Jan 08 '23 at 07:15

2 Answers2

0
<RequireAll>

Should be <RequireAny> or omitted altogether (since that is the default in the absence of any authorisation containers).

MrWhite
  • 12,647
  • 4
  • 29
  • 41
  • I tried changing `RequireAll` to `RequireAny`, removing `RequireAll` entirely, and tried changing `Require ip` to `allow from`. I always get a 403 forbidden error. I believe the issue to be from Cloudflare, and the configuration there. Everything looks good, and it should be acting as a reverse proxy, but for some reason it's just not. – anxiety Jan 08 '23 at 02:42
  • @anxiety Did you check the IP addresses in your server's access log? – MrWhite Jan 09 '23 at 09:57
0

Solved with a variation of Tom's reply (https://stackoverflow.com/questions/39884892/apache-2-4-whitelist-cloudflare-only)

mod_cloudflare is no longer supported, but you can easily achieve the same thing by using mod_remoteip

anxiety
  • 3
  • 3