zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] Access control by Cloudflare IPs

Open derekkddj opened this issue 7 months ago • 6 comments

What happened? I have my domain proxies with Cloudflare, and then i have zoraxy sitting at home. Is there any options to configure zoraxy to only accept connections from cloudflare IPs¿?

Describe what have you tried I used whitelist IPs, but there seems to get the IP of the "client_iP", so the origin IP before cloudflare IP.

Describe the networking setup you are using Here are some example, commonly asked questions from our maintainers:

  • Using cloudflare "proxy"
  • Zoraxy with proxmox helper scripts
  • Selfhosted zoraxy at home with NAT configured in router

Additional context

derekkddj avatar Jul 22 '25 07:07 derekkddj

This would typically be something you set up in your firewall rules

AnthonyMichaelTDM avatar Jul 22 '25 07:07 AnthonyMichaelTDM

I run zoraxy in an LXC on proxmox, so for me the rule looks something like this:

Image

where +cloudflare is an IP set containing all of cloudflare's IPv4 and IPv6 addresses

I also have a rule allowing access to the zoraxy dashboard from the LAN (192.168.1.0/24)

I also have a unifi router, so in my port forwarding rules I could restrict access to a list of ip ranges, so I did basically the same thing there and only forward packets coming from cloudflare

AnthonyMichaelTDM avatar Jul 22 '25 07:07 AnthonyMichaelTDM

i was going to do it with nftables, but with caddy i could do it inside the configuration file, nof using nftables. I was just hopping "zoraxy" had an option for this too. Because i am using same zoraxy as reverse proxy for subdomains behing cloudfalre, and for subdomains with "no" cloudflare proxy.

derekkddj avatar Jul 22 '25 08:07 derekkddj

with caddy i could do it inside the configuration file

Can you show me how Caddy setup looks like? I don't think this is something we should build into the Zoraxy core (since it has external dependencies, e.g. checking CF's ip once every couple days to update the ip filter list), but this might be possible for implementing as a (non official) plugin.

tobychui avatar Jul 22 '25 13:07 tobychui

In the caddy file, i have this "alias":

(cloudflare_only) {
    @not_cloudflare not remote_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
    respond @not_cloudflare "403 Forbidden" 403
}

And then, just use it:

# Main wildcard site (with security)
*.domain.com{
    import tls_cf
    import logs
    import cloudflare_only
    reverse_proxy 192.168.1.100:80
}

I have other subdomains without this protection:

noprotect.domain.com{
    import logs
    import tls_cf
    reverse_proxy 192.168.1.101:80
}

derekkddj avatar Jul 22 '25 19:07 derekkddj

Ok this is for sure a plugin only feature. I will add the plugin tag and see if anyone can help implement this in the future.

tobychui avatar Jul 24 '25 04:07 tobychui