We are currently trying out the cloudflare service to protect one of our company service. In front of this service we are using haproxy as SSL endpoint and loadbalancer. Cloudflare adds a number of custom headers((http://www.linuxorz.com/2014/10/cloudflare-haproxy-get-real-ip/)):
_SERVER["HTTP_CF_IPCOUNTRY"] CN
_SERVER["HTTP_CF_RAY"] 17da8155355b0520-SEA
_SERVER["HTTP_CF_VISITOR"] {"scheme":"http"}
_SERVER["HTTP_CF_CONNECTING_IP"] XX.YY.ZZ.00
In order to extract the original client IP in the X_FORWARDD_FOR header, you need to use the following configuration((http://permalink.gmane.org/gmane.comp.web.haproxy/12019)) in haproxy:
acl FROM_CLOUDFLARE src -f /etc/haproxy/cf-ips-v4 reqidel ^X-Forwarded-For:.* if ! LOCALHOST reqirep ^CF-Connecting-IP:(.*)$ X-Forwarded-For:\1 if FROM_CLOUDFLARE option forwardfor if-none
Additionally you need to have the cloudlare IPs in the file /etc/haproxy/cf-ips-v4. You can retrieve their IP ranges from: https://www.cloudflare.com/ips/
Some additional links:
- https://martensson.io/cloudflare-universal-ssl-with-haproxy/
- https://github.com/analytically/haproxy-ddos
- http://fsfe.soup.io/post/244661656/Alexandre-De-Dommelin-weblog-CloudFlare-HAProxy-and