Using access control

Discussion in 'Install/Configuration' started by tth, Aug 23, 2014.

  1. tth

    tth New Member

    Hello Everyone,

    I am using Litespeed and Cloudflare as a CDN plus proxy for a website.
    I want set a restriction at my server level so that server will only accept request come through Cloudflare and deny all.

    How can I do this.

    I tried using access control feature of litespeed.
    But if I enable this, site and cpanel stats program not able to identify visitor actual IP (client ip in header).

    How can I fix this. Thank in advance.
  2. NiteWave

    NiteWave Administrator

  3. tth

    tth New Member

    I enabled Client IP in Header in Configuration.
    And added cloudflare IP's "Allowed List" and put "ALL" in "Denied List".
    Now tried browsing site, I received error- "The requested resource could not be loaded because the server returned an error:
    403 Forbidden (?)."
  4. NiteWave

    NiteWave Administrator

    can you post the detail info here?
    maybe need put a trailing T to cloudflare's IPs
  5. tth

    tth New Member

    I added IP's in allowed list as below-
    199.27.128.0/21
    173.245.48.0/20
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    141.101.64.0/18
    108.162.192.0/18
    190.93.240.0/20
    188.114.96.0/20
    197.234.240.0/22
    198.41.128.0/17
    162.158.0.0/15
    104.16.0.0/12
    2400:cb00::/32
    2606:4700::/32
    2803:f800::/32
    2405:b500::/32
    2405:8100::/32

    Is this correct format?
  6. NiteWave

    NiteWave Administrator

    so:
    199.27.128.0/21T
    173.245.48.0/20T
    103.21.244.0/22T
    103.22.200.0/22T
    103.31.4.0/22T
    141.101.64.0/18T
    108.162.192.0/18T
    190.93.240.0/20T
    188.114.96.0/20T
    197.234.240.0/22T
    198.41.128.0/17T
    162.158.0.0/15T
    104.16.0.0/12T
    2400:cb00::/32T
    2606:4700::/32T
    2803:f800::/32T
    2405:b500::/32T
    2405:8100::/32T
  7. tth

    tth New Member

    Still same 403 Forbidden error.
  8. NiteWave

    NiteWave Administrator

    I mimic above rules on local litespeed box, looks working -- if the 1.2.3.4T is allow list, even deny list is ALL, still can access from 1.2.3.4T

    so if you remove ALL from "Denied List", there should be no "403 Forbidden" ?

    and can you test on a simple static page, like /readme.html ?
    also be noted,
    127.0.0.1T and your server's IP may need put in Allowed List (with trailing T) as well -- some scripts on the server may need access 127.0.0.1:2083 etc.
  9. tth

    tth New Member

    I did all change you suggested, and tested with .txt file.
    But still same.

    It only work if I choose "Trusted IP Only" from "client IP header option". But this way, cpanel and other stats program only identify cloudflare IP as visitor IP.
  10. NiteWave

    NiteWave Administrator

    Hi, I think I've just got the whole picture of this case.

    the best solution should be:
    1.
    lsws web admin -> Server -> General -> Use Client IP in Header:Yes

    2.
    lsws web admin -> Server -> Security -> Access Control, revert back to default settings
    e.g,,
    Allowed List: ALL
    Denied List: (Not Set)

    3.on OS firewall level, implement:
    "server will only accept request come through Cloudflare and deny all."
    this is easy for iptables to do it.

Share This Page