rejetto forum

Ban IP using cloudflare

sergio · 8 · 12930

0 Members and 1 Guest are viewing this topic.

Offline sergio

  • Occasional poster
  • *
    • Posts: 36
    • View Profile
Hi,

I have my HFS running on my local network under cloudflare.

But the problem occurs when I decide to ban an IP. Since it does not do the IP ban. This is due to HFS being configured with cloudflare

What configuration must be done in HFS so that it allows me to do IP banning?

Thanks.

PD. If HFS is not configured with cloudflare, IP ban works fine.



Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
ciao Sergio,
ot may help to know what you did to configure HFS for cloudflare.
I've never used cloudflare myself, so i hope someone could help you.


Offline sergio

  • Occasional poster
  • *
    • Posts: 36
    • View Profile
ciao Sergio,
ot may help to know what you did to configure HFS for cloudflare.
I've never used cloudflare myself, so i hope someone could help you.

I have a .com domain.
in the control panel of my domain, I configure the cloudflare NS.
in cloudflare configure 2 records of type A that point to my Public IP.
This way I hide my public IP.

Whoever enters my hfs through the url of my domain, will never know my true public IP, since it will show them the cloudflare IPs.
in this way it was left behind a proxy.


In my local apache server I had the same problem, and the solution is to enable the remoteip module, and add a line in the httpd.conf file that is this:
 RemoteIPHeader X-Forwarded-For.


But in HFS I don't know what configuration to do to solve the problem.
« Last Edit: February 09, 2022, 03:27:48 PM by sergio »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
ok, i googled: hfs x-forwarded-for
and that's what i've found :)

https://rejetto.com/forum/index.php?topic=6292.msg1037912#msg1037912

so, HFS already supports reverse-proxy but by default it's limited to localhost for security reasons.
You can change this but I gave a quick look and I think it's still missing in the menu.
Method 1) you'll edit the hfs.ini with notepad. Be sure first to quit HFS first.
Method 2) there's a scripting command to modify configuration via scripting. So as you can go Menu > Debug > Run script
and there run this small script
{.set ini|forwarded-mask=*.}

Here I'm suggesting * because if you only get requests that are forwarded by the proxy, then you can actually trust any source.
Otherwise you may specify exactly the IP address of the proxy.
Hope it helps.


Offline sergio

  • Occasional poster
  • *
    • Posts: 36
    • View Profile
Quote
Method 2) there's a scripting command to modify configuration via scripting. So as you can go Menu > Debug > Run script
and there run this small script
{.set ini|forwarded-mask=*.}

The script does not do what it is supposed to do.  What will be the reason?


Quote
Method 1) you'll edit the hfs.ini with notepad. Be sure first to quit HFS first.

This one works fine.

Quote
so, HFS already supports reverse-proxy but by default it's limited to localhost for security reasons.

the part is not clear to me: "limited to localhost for security reasons"

you mean you can only login from localhost, and do not enter externally ?

« Last Edit: February 09, 2022, 07:32:55 PM by sergio »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
No, the limit is not on login. I'll try to explain. HFS normally knows your ip. That thing you are enabling is letting your other part (in your case cloudflare) to "tell" HFS what the real ip is. It can tell the truth or lie. Of course cloudflare will tell the truth, but HFS doesn't know.
That's why this feature is limited.
By default HFS decide to trust such information if it comes from a software that's running on your computer (localhost).
That's why you have to decide who HFS should trust. It's a trust limited to "telling the ip" of course. It's not necessarily something dangerous, but HFS must play it safe.
Your best option is to allow not * but just the IPs of cloudflare.
You can learn how to enter a filter different than * with this guide: https://www.rejetto.com/wiki/index.php/HFS:_IP_masks

i don't know why the script isn't working. I didn't even test it, just copied it.


Offline sergio

  • Occasional poster
  • *
    • Posts: 36
    • View Profile
Quote
Your best option is to allow not * but just the IPs of cloudflare.
You can learn how to enter a filter different than * with this guide: https://www.rejetto.com/wiki/index.php/HFS:_IP_masks

the bad thing is that cloudflare uses many ip.

in the browser and by cmd are always two.
But in HFS it identifies several totally different

enter hfs various ranges, sometimes it works, and sometimes it doesn't, as other different ranges reappear.

forwarded-mask=* This configuration is the one that has worked best, except when they enter through the tor network, here it returns again to register the cloudflare IPs.

The issue is now clear.

Thank you very much for your great collaboration.


Offline D

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
Your best option is to allow not * but just the IPs of cloudflare.
If anyone wonders how to do it... here's a ready-made solution (comes with no warranty)

Just add one ban rule for this IP mask and tick "disconnect with no reply"
Code: [Select]
\173.245.48.1-173.245.63.254;103.21.244.1-103.21.247.254;103.22.200.1-103.22.203.254;103.31.4.1-103.31.7.254;141.101.64.1-141.101.127.254;108.162.192.1-108.162.255.254;190.93.240.1-190.93.255.254;188.114.96.1-188.114.111.254;197.234.240.1-197.234.243.254;198.41.128.1-198.41.255.254;162.158.0.1-162.159.255.254;104.16.0.1-104.23.255.254;104.24.0.1-104.27.255.254;172.64.0.1-172.71.255.254;131.0.72.10-131.0.75.254Source: https://www.cloudflare.com/ips/

Works for me I believe