emotality / laravel-block-cf-origin
Laravel package to block direct requests to your Cloudlfare-protected origin server.
Fund package maintenance!
www.buymeacoffee.com/emotality
Requires
- php: ^8.0
- ext-redis: *
- illuminate/cache: ^9.0|^10.0|^11.0
- illuminate/console: ^9.0|^10.0|^11.0
- illuminate/http: ^9.0|^10.0|^11.0
- illuminate/support: ^9.0|^10.0|^11.0
- symfony/http-kernel: ^6.0|^7.0
Requires (Dev)
- laravel/pint: ^1.15
This package is auto-updated.
Last update: 2024-11-07 02:39:48 UTC
README
Laravel package to block direct requests to your Cloudlfare-protected origin server.
Overview
This packages should only be used when the following applies:
- You can't add firewall rules (to only accept requests from CF Edge IP addresses) because your server is shared with other projects that don't use Cloudflare. If you have a single app running on your server, rather add firewall rules.
- You can't add deny/allow rules to your Nginx/Apache config because you are using the
set_real_ip_from/mod_remoteipmodule to forward the user's real IP (X-Forwarded-For). If you don't need to forward the user's real IP, rather add deny/allow rules to your Nginx/Apache config. - You can't install
cloudflaredand create a tunnel. Read more
See Useful Links section below for more information.
Requirements
- PHP 8.0+
- PHP Redis extension
- Laravel 9.0+
*Note: This package only supports the Redis cache driver!
Installation
composer require emotality/laravel-block-cf-originphp artisan vendor:publish --provider="Emotality\Cloudflare\CloudflareBlockOriginServiceProvider"- Add the middleware in
app/Http/Kernel.php:
protected $middleware = [ \Emotality\Cloudflare\BlockNonCloudflareRequests::class, // Top is preferred ... ];
- Add the cronjob to update Cloudflare's netmasks:
protected function schedule(Schedule $schedule): void { ... $schedule->call(new \Emotality\Cloudflare\GetNetmasks)->weekly(); }
- Update your
config/cloudflare-block.phpconfig and.envaccordingly. - Add FastCGI (PHP-FPM) param to your Nginx config:
server { server_name example.com; ... location ~ \.php$ { fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param CF_EDGE_IP $realip_remote_addr; <<----- HERE include fastcgi_params; } }
$realip_remote_addr will be Cloudflare's IP if the request went through a Cloudflare Edge proxy, or the user's IP if the request was direct.
$remote_addr will be the user's IP address.
Useful Links
- Cloudflare IP ranges
- Cloudflare IP addresses
- Cloudflare Tunnel
- Restoring original visitor IPs
- Protect your origin server
- Authenticated Origin Pulls
Contributing
This package is in its early stages, feel free to report any issues or suggest improvements. Please use the master branch for any pull requests.
License
laravel-block-cf-origin is released under the MIT license. See LICENSE for details.