[GH-ISSUE #268] Cloudflare only switch #237

New issue

Closed

opened 2026-02-26 06:31:40 +03:00 by kerem · 9 comments

kerem commented 2026-02-26 06:31:40 +03:00

Owner

Copy link

Originally created by @vrelk on GitHub (Dec 31, 2019).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/268

Could we get an option to enable that would cause a 403 to be returned if the client isn't a cloudflare IP? This would be nice to force direct access, mainly for things like cloudflare access. Seeing as rewriting the client IP is forced, that prevents the normal way of doing this.

Originally created by @vrelk on GitHub (Dec 31, 2019). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/268 Could we get an option to enable that would cause a 403 to be returned if the client isn't a cloudflare IP? This would be nice to force direct access, mainly for things like cloudflare access. Seeing as rewriting the client IP is forced, that prevents the normal way of doing this.

kerem 2026-02-26 06:31:40 +03:00

• closed this issue
• added the
  stale
  label

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@Rustymage commented on GitHub (Jan 9, 2020):

I like this suggestion.

<!-- gh-comment-id:572765002 --> @Rustymage commented on GitHub (Jan 9, 2020): I like this suggestion.

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@webbson commented on GitHub (Mar 2, 2020):

I would really like this too, would be really helpful in combination with Cloudflare access to restrict access to certain areas.
I've tried to solve it with a custom config on advanced containing
allow 173.245.48.0/20; allow 103.21.244.0/22; allow 103.22.200.0/22; allow 103.31.4.0/22; allow 141.101.64.0/18; allow 108.162.192.0/18; allow 190.93.240.0/20; allow 188.114.96.0/20; allow 197.234.240.0/22; allow 198.41.128.0/17; allow 162.158.0.0/15; allow 104.16.0.0/12; allow 172.64.0.0/13; allow 131.0.72.0/22; deny all;

This however blocks all requests. Inspecting the log shows that the requests are logged with the real IP of the visitor even though the traffic goes through Cloudflare.

Edit: Sorry for line break not working in code block

<!-- gh-comment-id:593253927 --> @webbson commented on GitHub (Mar 2, 2020): I would really like this too, would be really helpful in combination with Cloudflare access to restrict access to certain areas. I've tried to solve it with a custom config on advanced containing `` allow 173.245.48.0/20; allow 103.21.244.0/22; allow 103.22.200.0/22; allow 103.31.4.0/22; allow 141.101.64.0/18; allow 108.162.192.0/18; allow 190.93.240.0/20; allow 188.114.96.0/20; allow 197.234.240.0/22; allow 198.41.128.0/17; allow 162.158.0.0/15; allow 104.16.0.0/12; allow 172.64.0.0/13; allow 131.0.72.0/22; deny all; `` This however blocks all requests. Inspecting the log shows that the requests are logged with the real IP of the visitor even though the traffic goes through Cloudflare. **Edit: Sorry for line break not working in code block**

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@Rustymage commented on GitHub (Apr 11, 2020):

I wonder if there is a cloudflare settings toggle?

<!-- gh-comment-id:612418427 --> @Rustymage commented on GitHub (Apr 11, 2020): I wonder if there is a cloudflare settings toggle?

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@Rustymage commented on GitHub (Apr 17, 2020):

This suggests Cloudflare does not add the visitor IP address to the header...

<!-- gh-comment-id:615444070 --> @Rustymage commented on GitHub (Apr 17, 2020): This suggests Cloudflare does not add the visitor IP address to the header... <img width="1074" alt="Screenshot 2020-04-17 at 21 12 38" src="https://user-images.githubusercontent.com/19926955/79610318-381aac80-80f0-11ea-8a88-2a0bf65ca7a3.png">

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@vrelk commented on GitHub (Apr 18, 2020):

It actually does using X-forwarded-for. The nginx config just replaces the
client IP with the value of that header, which then makes it so you can't
validate that it is a cloudflare IP.

On Fri, Apr 17, 2020, 4:15 PM Anthony notifications@github.com wrote:

This suggests Cloudflare does not add the visitor IP address to the
header...

[image: Screenshot 2020-04-17 at 21 12 38]
https://user-images.githubusercontent.com/19926955/79610318-381aac80-80f0-11ea-8a88-2a0bf65ca7a3.png

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/jc21/nginx-proxy-manager/issues/268#issuecomment-615444070,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAEY5PIXKHO2PMFNSPMYY5TRNC2ERANCNFSM4KBS4IUQ
.

<!-- gh-comment-id:615539915 --> @vrelk commented on GitHub (Apr 18, 2020): It actually does using X-forwarded-for. The nginx config just replaces the client IP with the value of that header, which then makes it so you can't validate that it is a cloudflare IP. On Fri, Apr 17, 2020, 4:15 PM Anthony <notifications@github.com> wrote: > This suggests Cloudflare does not add the visitor IP address to the > header... > > [image: Screenshot 2020-04-17 at 21 12 38] > <https://user-images.githubusercontent.com/19926955/79610318-381aac80-80f0-11ea-8a88-2a0bf65ca7a3.png> > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/jc21/nginx-proxy-manager/issues/268#issuecomment-615444070>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAEY5PIXKHO2PMFNSPMYY5TRNC2ERANCNFSM4KBS4IUQ> > . >

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@Rustymage commented on GitHub (Apr 20, 2020):

I see - I've now added a hardware firewall on the network which does the heavy lifting of checking for Cloudflare IPs. Problem circumvent and solved.

<!-- gh-comment-id:616481957 --> @Rustymage commented on GitHub (Apr 20, 2020): I see - I've now added a hardware firewall on the network which does the heavy lifting of checking for Cloudflare IPs. Problem circumvent and solved.

kerem commented 2026-02-26 06:31:41 +03:00

Author

Owner

Copy link

@netstx commented on GitHub (Mar 5, 2021):

Could this be why my NPM proxy host to a Cloudflare endpoint (website on their CDN) doesn't work for me? I keep getting 403 forbidden error on the page (cloudflare error, not npm).

<!-- gh-comment-id:791167289 --> @netstx commented on GitHub (Mar 5, 2021): Could this be why my NPM proxy host to a Cloudflare endpoint (website on their CDN) doesn't work for me? I keep getting 403 forbidden error on the page (cloudflare error, not npm).

kerem commented 2026-02-26 06:31:42 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 31, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2028525732 --> @github-actions[bot] commented on GitHub (Mar 31, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:31:42 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (May 10, 2025):

Issue was closed due to inactivity.

<!-- gh-comment-id:2868225303 --> @github-actions[bot] commented on GitHub (May 10, 2025): Issue was closed due to inactivity.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#237

No description provided.