Allow only connections from cloudflare through nodebalancer
Hello,
My setup is like this:
Cloudflare > Nodebalancer > 2 nodes(nginx)
I want to only allow visits from cloudflare ips, but $remote_addr on nginx keep returning the nodebalancer private ip not the cloudflare origin ips, and if I allow the nodebalancer ip any one accessing my nodebalancer will be able to access my server. This is an issue I have been dealing with.
Also I noticed I canot customize the node balancer since there is no firewall options or ip configurations, is this really not possible?
1 Reply
Nodebalancers deliver traffic to your backend nodes over the private network. As mentioned in the Client's IP Address Pass-through guide,
"When a NodeBalancer routes traffic to a backend node, the originating IP address becomes the NodeBalancer’s private IP address."
While your NodeBalancer's public IP address won't change, the private IP address may change over time. With that in mind, you will need to add the entire /24 of NodeBalancer IP addresses to your allow-list: 192.168.255.0/24
.
Alternatively, you can deploy an instance running HA Proxy which will give you a bit more fine-tuning when it comes to functionality.
Finally, this post from the Community Questions site has a bit more information on X-Forwarded-For headers for your web server and how they can be used to in LoadBalancing situations.