如何确保CloudFlare确实代理了请求? [英] How to ensure that a request is really proxied by CloudFlare?
问题描述
在一个项目中,我们使用CloudFlare及其 cf-connecting-ip 标头来获得访客IP地址.但我不确定该信息是否可以完全信任.例如,一个坏用户以某种方式获得了我们服务器的真实IP,并直接连接到该服务器,将假IP地址放入 cf-connecting-ip 标头中,并假装它是合法的CF-代理请求.
In one of projects we use CloudFlare and its cf-connecting-ip header to get a visitor IP address. But I'm not sure that the info can be fully trusted. For example, a bad user somehow had obtained real IP of our server, and connecting directly to it, putting fake IP address to the cf-connecting-ip header, and pretending that it was a legitimate CF-proxied request.
我检查了CF代理请求的标头,并看到了 cf-request-id 标头.但这对于每个请求都是唯一的,而且我看不到任何固定的安全密钥,可以用来验证请求是否合法.
I examined headers for CF-proxied requests, and saw the cf-request-id header. But it's unique per a request, and I cannot see there any fixed secure key which I can use to verify that the request was legitimate.
如何确保CF确实代理了请求?
How to ensure that a request was really proxied by CF?
推荐答案
您可能要使用功能:
You may want to use the Authenticated Origin Pulls feature from Cloudflare:
Authenticated Origin Pulls使原始Web服务器可以强烈验证Web请求是否来自Cloudflare.
我们使用TLS客户端证书身份验证(大多数Web服务器支持的功能),并在Cloudflare与原始服务器之间建立连接时出示Cloudflare证书.
通过在原始服务器配置中验证此证书,可以将访问限制为Cloudflare连接.
Authenticated Origin Pulls let origin web servers strongly validate that a web request is coming from Cloudflare.
We use TLS client certificate authentication, a feature supported by most web servers, and present a Cloudflare certificate when establishing a connection between Cloudflare and the origin server.
By validating this certificate in origin server configuration, access can be limited to Cloudflare connections.
您将需要从Cloudflare下载客户端证书,并将您的Web服务器配置为强制执行证书检查.
You will need to download the client certificate from Cloudflare and configure your webserver to enforce the certificate check.
所引用的页面上有有关如何在Apache和Nginx中设置客户端证书的说明.
The referenced page has instructions on how to set up client certificate in Apache and Nginx.
这篇关于如何确保CloudFlare确实代理了请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
