From 4bf5e8f63a2adf253773a8db1e88b85100c797bf Mon Sep 17 00:00:00 2001
From: deflax <daniel@deflax.net>
Date: Thu, 6 Feb 2025 20:50:32 +0200
Subject: [PATCH] Set X-Forwarded-For only for requests from Cloudflare

---
 config/haproxy/haproxy.cfg | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/haproxy/haproxy.cfg b/config/haproxy/haproxy.cfg
index 60eb0a4..211c25d 100644
--- a/config/haproxy/haproxy.cfg
+++ b/config/haproxy/haproxy.cfg
@@ -47,6 +47,11 @@ frontend web
     http-request set-header X-Url-Scheme https
     http-request set-header Host %[ssl_fc_sni]
 
+    # Set X-Forwarded-For only for requests from Cloudflare
+    acl from_cf    src -f /usr/local/etc/haproxy/cloudflare_ips.lst
+    acl cf_ip_hdr  req.hdr(CF-Connecting-IP) -m found
+    http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr
+
     # CORS
     http-response set-header Access-Control-Allow-Origin "*"
     http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"