Using access control

#1
Hello Everyone,

I am using Litespeed and Cloudflare as a CDN plus proxy for a website.
I want set a restriction at my server level so that server will only accept request come through Cloudflare and deny all.

How can I do this.

I tried using access control feature of litespeed.
But if I enable this, site and cpanel stats program not able to identify visitor actual IP (client ip in header).

How can I fix this. Thank in advance.
 
#3
can you be more specific about "access control feature of litespeed"?

here's link about how to have litespeed work with cloudflare:
https://support.cloudflare.com/hc/e...-original-visitor-IP-with-a-LiteSpeed-server-
I enabled Client IP in Header in Configuration.
And added cloudflare IP's "Allowed List" and put "ALL" in "Denied List".
Now tried browsing site, I received error- "The requested resource could not be loaded because the server returned an error:
403 Forbidden (?)."
 
#5
can you post the detail info here?
maybe need put a trailing T to cloudflare's IPs
I added IP's in allowed list as below-
Code:
199.27.128.0/21
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
Is this correct format?
 
Last edited by a moderator:

NiteWave

Administrator
#6
put a trailing T to cloudflare's IPs
so:
Code:
199.27.128.0/21T
173.245.48.0/20T
103.21.244.0/22T
103.22.200.0/22T
103.31.4.0/22T
141.101.64.0/18T
108.162.192.0/18T
190.93.240.0/20T
188.114.96.0/20T
197.234.240.0/22T
198.41.128.0/17T
162.158.0.0/15T
104.16.0.0/12T
2400:cb00::/32T
2606:4700::/32T
2803:f800::/32T
2405:b500::/32T
2405:8100::/32T
 
Last edited by a moderator:
#7
so:
Code:
199.27.128.0/21T
173.245.48.0/20T
103.21.244.0/22T
103.22.200.0/22T
103.31.4.0/22T
141.101.64.0/18T
108.162.192.0/18T
190.93.240.0/20T
188.114.96.0/20T
197.234.240.0/22T
198.41.128.0/17T
162.158.0.0/15T
104.16.0.0/12T
2400:cb00::/32T
2606:4700::/32T
2803:f800::/32T
2405:b500::/32T
2405:8100::/32T
Still same 403 Forbidden error.
 
Last edited by a moderator:

NiteWave

Administrator
#8
I mimic above rules on local litespeed box, looks working -- if the 1.2.3.4T is allow list, even deny list is ALL, still can access from 1.2.3.4T

so if you remove ALL from "Denied List", there should be no "403 Forbidden" ?

and can you test on a simple static page, like /readme.html ?
also be noted,
127.0.0.1T and your server's IP may need put in Allowed List (with trailing T) as well -- some scripts on the server may need access 127.0.0.1:2083 etc.
 
#9
I mimic above rules on local litespeed box, looks working -- if the 1.2.3.4T is allow list, even deny list is ALL, still can access from 1.2.3.4T

so if you remove ALL from "Denied List", there should be no "403 Forbidden" ?

and can you test on a simple static page, like /readme.html ?
also be noted,
127.0.0.1T and your server's IP may need put in Allowed List (with trailing T) as well -- some scripts on the server may need access 127.0.0.1:2083 etc.
I did all change you suggested, and tested with .txt file.
But still same.

It only work if I choose "Trusted IP Only" from "client IP header option". But this way, cpanel and other stats program only identify cloudflare IP as visitor IP.
 
#10
Hi, I think I've just got the whole picture of this case.

the best solution should be:
1.
lsws web admin -> Server -> General -> Use Client IP in Header:Yes

2.
lsws web admin -> Server -> Security -> Access Control, revert back to default settings
e.g,,
Allowed List: ALL
Denied List: (Not Set)

3.on OS firewall level, implement:
"server will only accept request come through Cloudflare and deny all."
this is easy for iptables to do it.
 
Top