chuckhoffmann Wrote:
-------------------------------------------------------
> Cary Wrote:
> --------------------------------------------------
> -----
> > Most this garbage is a byproduct of switching
> to
> > Cloudflare. Previously I employed iptables
> rules
> > to block HUGE swaths of the Internet. What do
> > hosts from Europe/Africa/Asia need to access
> > Fairfax Underground for? Now, however, as all
> > traffic is sourced from Cloudflare's servers my
> > iptables rules are useless for HTTP blocking.
> >
> > I'll either need to reinstate these blocks in
> > Apache directly (Cloudflare passes through
> source
> > IPs) or finally implement a real CAPTCHA system.
>
> > Stay tuned.
>
> Cloudflare essentially acts as a proxy between the
> whole Internet and Fairfax Underground, so all Web
> traffic looks like it's coming from Cloudflare.
>
> There are two headers added to HTTP Request
> headers: X-Forwarded-For and CF-Connecting-IP. The
> first is a standard HTTP header and the second is
> a custom Cloudflare addition, and one or the other
> should give you the originating IP address.
>
> Would it be possible to change the iptables rules
> to use string matching? There's an extension to
> add PCRE pattern matching to the Linux kernel on
> Github at
https://github.com/xnsystems/kpcre, and
> using regexes with iptables string matching is
> described at
>
https://github.com/xnsystems/kpcre/wiki/iptables-s
> tring-regex
That's going to be awfully slow and expensive as far as compute cycles. Those headers are quite deep in the packet. Apache needs to parse them anyway, so filter them there.
Cloudflare's behavior is pretty strange. You are forced to handle TCP connections past the three way handshake just to reject them?