Skip to content

agence-gaya/traefik-plugin-cloudflare

Repository files navigation

traefik-plugin-cloudflare

Tag Badge Go Version Badge Build Badge Go Report Card Badge

Traefik plugin to handle traffic coming from Cloudflare.

Features

  • Only allow traffic originating from Cloudflare IP v4 and v6
  • Custom CIDRs list can be added to allow request not from CloudFlare
  • Refresh Clouflare CIDRs from Cloudflare API url https://api.cloudflare.com/client/v4/ips
  • Handle X-Forwarded-For original header to allow Cloudflare request from a trusted revers proxy behind Traefik
  • Rewrite requests X-Forwarded-For header with the user IP provided by CF-Connecting-IP
  • Rewrite requests X-Forwarded-Proto header with the scheme provided by CF-Visitor
  • Rewrite requests X-Real-IP header with the user IP provided by CF-Connecting-IP
  • Rewrite RemoteAdress to permit Traefik ipwhitelist middleware to work on IP provided by CF-Connecting-IP

Configuration

Plugin options

Key Type Default Description
trustedCIDRs []string [] Requests coming from a source not matching any of these CIDRs will be terminated with a 403. If empty, it is populated with Cloudflare's CIDRs.
allowedCIDRs []string [] Requests coming from a source matching any of these CIDRs will not be terminated with a 403 and no overwrite of request header append.
refreshInterval time.Duration 24h When trustedCIDRs is empty, Cloudflare's CIDRs will be refreshed after this duration. Using a value of 0 seconds disables the refresh.
overwriteRequestHeader bool true When true, the request's header are rewrite. When false any header or traefik RemoteAddress are modified, filter only the request from Cloudflare IP.
appendXForwardedFor bool false Work only when overwriteRequestHeader true, When true prepend Cloudflare IP to XForwardedFor instead of replace XForwardedFor first value.
debug bool false Output debug message in traefik log.

Traefik static configuration

experimental:
  plugins:
    cloudflare:
      moduleName: github.com/agence-gaya/traefik-plugin-cloudflare
      version: v1.0.0

Dynamic configuration

http:
  middlewares:
    cloudflare:
      plugin:
        cloudflare:
          trustedCIDRs: []
          overwriteRequestHeader: true

  routers:
    foo-router:
      rule: Path(`/foo`)
      service: foo-service
      entryPoints:
        - web
      middlewares:
        - cloudflare