Haproxy Real IP + Cloudflare

Question

I just can't seem to get this done. I'm still seeing cloudflare IPs in my log. Currently, I have a loadbalancer which is behind Cloudflare.

Currently, here's the block related to forwardfor:

    option          forwardfor except 127.0.0.1
option          forwardfor except 204.93.240.0/24
option          forwardfor except 204.93.177.0/24
option          forwardfor except 199.27.128.0/21
option          forwardfor except 173.245.48.0/20
option          forwardfor except 103.22.200.0/22
option          forwardfor except 141.101.64.0/18
option          forwardfor except 108.162.192.0/18
    option          forwardfor header X-Real-IP
    reqadd          X-Forwarded-Proto:\ http

Does anybody have an idea for the correct config to get real IPs from Cloudflare? Or maybe an equivalent of nginx's set_real_ip_from cloudflareIP and/or real_ip_header CF-Connecting-IP to haproxy? Thanks.

Answer 1

You do it this way:

• Create a text file cloudflare_ips.lst containing all IP ranges from https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6
• Make sore you do not enable option forwardfor in HaProxy

HaProxy config:

acl from_cf    src -f /path/to/cloudflare_ips.lst
acl cf_ip_hdr  req.hdr(CF-Connecting-IP) -m found

http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr

• Be careful when testing, because of KeepAlive you may need to use a new browser/tab every time.