Possible to filter ip via X-Forwarded-For to bypass basic auth when using cloudflare?

wazer · May 14, 2022, 12:16am

2.5.1

Win11

	@notLocal {
		not remote_ip 192.168.1.0/24
	}
	basicauth @notLocal {
		username password	
	}

I have the header in top

header X-Forwarded-For {http.request.header.CF-Connecting-IP}

I tried

	@notLocal {
		not X-Forwarded-For IP_HERE
	}
	basicauth @notLocal {
		username password	
	}

But wont start with this, I’m not sure if its even supported this way

The X-Forwarded-For I can only find via request>headers>X-Forwarded-Form when logging but not sure if that has to do with anything

francislavoie · May 14, 2022, 12:38am

Yeah, it’s in the docs; if you use forwarded as the first arg to remote_ip, it looks at the XFF header.

wazer · May 14, 2022, 12:59am

Ok think I had to re-read it since I did not understand it correctly then.

I thought you had to leave out remote_ip ?

This should work correct, right?

@notLocal {
		not remote_ip forwarded IP_HERE
	}

francislavoie · May 14, 2022, 1:11am

forwarded is an argument to the remote_ip matcher, telling it to change how it behaves.

Yes you got it right, but you can shorten it, FYI:

@notLocal not remote_ip forwarded <ip>