“X-Forwarded-For” or how to restrict access to Apache while using CloudFlare

Noo you ca n’t good enter my web site when I restricted the access in my apache ! ”
IP machine goes brr


  • Debian/Ubuntu
  • Apache2 web server with a running virtual host
  • Cloudflare account linked to your webserver


A month ago I put my web site behind Cloudflare ‘s CDN with the intention to get my way around the service and who knows.. even speed up my web site a piece. however, I did not want people to be able to see my web site under exploitation. The beginning thing that came to my mind was to put a “ come soon ” page but I instantaneously figured this is a little dazed way to ‘restrict ‘ person to my capacity as they can still browse around URLs. What did I decide to do ? I decided to entirely allow certain IPs on the Apache flat. What happened ? I could not do it. then with some research, I got to understand why it did not work and what is an X-Forwarded-For header, and how to use it to suit my needs .

Case Study

I have a web site track on Apache webserver behind Cloudflare ‘s CDN. I need to restrict entree to my web site on Apache level to lone be accessible with the IP x.x.x.x

What is X-Forwarded-For header?

“ The X-Forwarded-For header is a standard header for identifying the originating IP address. ” Meaning ? This means that if my IP is x.x.x.x and I try to connect to the web site example.com which is behind a Cloudflare CDN, then I am connecting to Cloudflare, only which then handles my connection to the web site. Cloudflare is connecting to the example.com ‘s server and therefore, you could say, it has the character of a rearward proxy. If you try to ping my web site you will not get my IP. You will get CloudFlare ‘s IP .
With the X-Forwarded-For header, the webserver is able to get the originating IP of the connected exploiter .

Denying the IP without X-Forwarded-For?

Go away, User!
The answer to this is simpleton – you will try blocking an IP but that IP does not have anything to do with your webserver. If the IP has already connected to CloudFlare, then the Cloudflare IP is connecting to your web site – > the content is still available to the drug user .

Your IP: A.A.A.A
My Server IP: B.B.B.B
CloudFlare IP: C.C.C.C

You ( A.A.A.A ) enter 47ontech.com ( B.B.B.B ) – > You ( A.A.A.A ) connect to CloudFlare ( C.C.C.C ) – > Cloudflare ( C.C.C.C ) connects you to my server ( B.B.B.B ) – > You ( A.A.A.A ) do not connect to me ( B.B.B.B ). You ( A.A.A.A ) connect to CloudFlare ( C.C.C.C ), which connects to me ( B.B.B.B ) – > You see my web site – > not what we need : (

Denying the IP WITH X-Forwarded-For!


Let ‘s get straight to the point and see what would happen if you deny an information science with X-Forwarded-For, with an case :

Your IP: A.A.A.A
My Server IP: B.B.B.B
Cloudflare IP: C.C.C.C

You ( A.A.A.A ) enter asciinaut.sh ( B.B.B.B ) – > You ( A.A.A.A ) connect to Cloudflare ( C.C.C.C ) – > Cloudflare ( C.C.C.C ) connects you to my server ( B.B.B.B ) – > You ( A.A.A.A ) are thrown off as your IP is stored in the mailboat header in the X-Forwarded-For variable star. Meaning ? My apache saw your real number IP and it did not allow you to pass – > There is no message served early than 403 forbidden .


Cool, you got the indicate ! immediately you just need the final examination component – the Apache block. Let me get it out for you real quick :

	SetEnvIF X-Forwarded-For "x.x.x.x" AllowIP
	Options Indexes FollowSymLinks
	AllowOverride All

	Require env AllowIP

And that ‘s reasonably much it ! You include this block to your Apache config after your /VirtualHost and you are ready to go !
Some side note – If you want to check what your connection consists of, create a file examplefile.php in your web site directory and add the comply lines :

now browse to this file and you will see a huge block of information. hera you can see what your connection consists of. And now if you want to check if something is working, for case, the X-Forwarded-For header – precisely CTRL+F and type it in the search bar. x-forward image


In this post, you learned how to restrict access to only certain IPs when you are making consumption of Cloudflare ( or any CDN really.. ). You learned what the X-Forwarded-For header is. And you learned a small moment of how content delivery networks work. I hope this helped you and if you ever want to start a conversation with me or just want to contact me – feel release to drop me a message on my chitter !
Best of luck with your projects and do n’t forget to have fun in the end !

Leave a Reply

Your email address will not be published.