Trusted Proxies with Cloudflare - my solution

Been struggling to figure out how to deal with the v2.5 changes to reverse_proxy while using Cloudflare as a cloud proxy service and figured I’d share what’s working for me in hopes that others may find it useful.

in my Caddyfile, i make use of import directive to reference a file:

        reverse_proxy IP:PORT {
                import /authdb/cloudflare-proxies
        }

i run Caddy in a docker container, so i have the /authdb/ volume mounted to the container. on the host itself, i set a cron job to run this script every 30 minutes:

#!/bin/bash

CLOUDFLARE_IPSV4="https://www.cloudflare.com/ips-v4"

FILE_IPV4="/authdb/cloudflare-proxies"

if [ -f "$FILE_IPV4" ] ; then
    rm "$FILE_IPV4"
fi

if [ -f /usr/bin/curl ]; then
        HTTP_STATUS=$(curl -sw '%{http_code}' -o $FILE_IPV4 $CLOUDFLARE_IPSV4)
        if [ "$HTTP_STATUS" -ne 200 ]; then
                echo "FAILED. Reason: unable to download IPv4 list [Status code: $HTTP_STATUS]"
                exit 1
        fi
else
        echo "FAILED. Reason: curl wasn't found on this system."
        exit 1
fi

sed -i ':a;N;$!ba;s/\n/ /g' $FILE_IPV4

sed -i '1s/^/trusted_proxies /' $FILE_IPV4

exit 0

Now, whenever I re-build my Caddy container, the “cloudflare-proxies” file is mounted with the container and the host updates that file every half hour.

Hopefully someone finds this helpful.

1 Like

Please note that this alone is incomplete, because Cloudflare does not sanitize the X-Forwarded-For header by default, so even with this, you’re potentially vulnerable to remote IP spoofing. So you must configure Cloudflare to remove the X-Forwarded-For header, then write the header again with the source IP address, to make sure it doesn’t have untrusted values.

There’s instructions here in Authelia’s docs (not yet live on their site, so the source on Github will have to do for now):

2 Likes