Better Cloudflare Support

[WalshyDev]

Feature request

Feature description

There are some improvements which still should be made to have better support for Cloudflare.

• Only resolve real IP if it comes from Cloudflare

  • This is quite important, if someone was to not go through Cloudflare (not proxied record, misconfiguration, etc) this allows for a user to provide a spoofed IP address. They can just provide the X-Forwarded-For and CF-Connecting-IP headers (since CF will not override them)
  • This needs to be done with an nginx module and IP file (would be great to pull these from the API so it's always up to date - also add a comment to regularly check this)
  • Guide for this is located here: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs
  • This feature would require quite a bit of work but I think is a pretty critical thing to add

• Support Origin Certificates as an option

  • Preferably people would use a proper Let's Encrypt cert but this is a much easier and quicker setup for those inexperienced. It would not hurt encryption or security in any way.

How the feature is useful

It would improve security for those using Cloudflare and possibly also speed up the setup process.

Not sure the best way to implement this. I think having a general "Using Cloudflare Proxy" option would be good. By default, it can do setup of real IP restoration and add a checkbox for Orgin Cert (not checked by default - Let's Encrypt should still be preferred)

[tsparksh]

• Support Origin Certificates as an option

CA Origi certificates are just common, certificates (that are already supported), are not they?

[MattIPv4]

Yup, was just about to write that -- using Cloudflare origin certificates should already be supported through the custom cert option unless I'm missing something. We can definitely add a helpful note about this though under the proposed new Cloudflare checkbox from this issue.

For the real IP stuff, I think this should be a new checkbox for sure, that can then add a new file named cloudflare.conf that contains the IP ranges and the header directives. Generating the IP lists will currently need to be done server-side, which means they will need to be a custom build step, and thus only update as frequently as the tool is re-built and re-deployed -- I have poked Cloudflare about allowing cross-origin access to the IP lists so this could be done at runtime client-side instead.

[WalshyDev]

• Support Origin Certificates as an option

CA Origi certificates are just common, certificates (that are already supported), are not they?

Yes they're already a thing which is supported. I meant like having it in the setup part in replace of the Lets Encrypt part. So, it would say like "Generate a certificate here" linking to Cloudflare.com?to=/:account/:zone/ssl/origin-certificate and then just say to make X and Y file. I believe this would just be a bit more beginner friendly.

[MattIPv4]

Ah okay, yeah, that makes sense. We could probably have the checkbox for Cloudflare real IP resolution then, and a new option to the cert radio selector for a Cloudflare origin certificate -- selecting this can then show no input but add a new step in setup as you described. I think this should also then update the generated config to restrict the server to only respond to known Cloudflare IPs, as those will be the only IPs that see the cert as valid.