-2

I want to allow only HTTP(S) requests to my server that comes from cloudflare. I think the best way to do that is to have some script that will run once every day and it's job will be to collect all ip addresses from https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6, and add them to whitelist (If not added already). The only problem is that I don't know to write this script so if anyone can give me some guidelines or link to some tutorial, I would've appriciate it. (U can also write it on your own if you have free time, I don't mind)

My Server Configuration: OpenLiteSpeed, Cyberpanel, AlmaLinux

EDIT

In the meantime I managed (I think) to somehow make it work. I created bash script cloudflare.sh with the following content:

#!/bin/sh

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP

then, I set up cron job to run it every day at 10 AM.

0 10 * * * /home/cloudflare.sh >/dev/null 2>&1

I have done this with a help of a google so can u just tell me if this script will make duplicates of ip addresses or no when it's executed?

user19000690
  • 1
  • 1

1 Answers1

-1

actually , for your goal , here is a simpler solution

the cloudflare request will always contains certain CF headers

e.g.

Connection: Keep-Alive
Accept-Encoding: gzip
CF-IPCountry: BR
X-Forwarded-For: xxxxx
CF-RAY: 56fc3a8f9ccbf203-EWR
Content-Length: 345
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
origin: https://www.google.com
user-agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
content-type: application/x-www-form-urlencoded
accept: */*
referer: https://www.google.com/
accept-language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
cookie: xxxx
CF-Connecting-IP: xxxx

then you can use one of these headers to create a rewrite rule to 403 the request doesn't have it

e.g.

RewriteCond %{HTTP:CF-IPCountry} !^[A-Z]{2} [NC]
RewriteRule .* - [F,L]

the first line will check if header CF-IPCountry exsits and matches for any 2 capital letter , like US, UK , ES, FR ...etc as country code

if not match , then give Forbid flag as 403 response

the setback for this way is the header might be faked

otherwise you may need to go to the "hard" mode to manipulate the OpenLiteSpeed conf file or firewall conf file to add/remove IPs

qtwrk
  • 329
  • 2
  • 7