I’m currently developing an application that will be proxied by Cloudflare. Is it possible to whitelist Cloudflare’s IPs from my apps, so that only they can access them? I know I can apply a proxy on top, but I was just trying to see if there was a Fly-native solution.
Fly does not yet have an API to set L3 firewall rules. So, you’d have to impl it yourself.
I was just trying to see if there was a Fly-native solution
If you are using the HTTP handler, then Fly adds x-forwarded-for
header containing client IP.
For TCP, you’d have to use the Proxy Proto
handler if you need client IP.
For UDP, client IP is preserved.
Sounds good. It isn’t mission-critical to verify IP addresses for me, as I do other kinds of verification, but just an extra layer of protection.
Do you know if this is planned, or in a roadmap somewhere?(If not, totally fine)
From what I gather from the forums, I don’t think it is priority for them. That said, I am not really privvy to any inside information.
There is indeed a latent demand for a programmable L3 Firewall for both out bound and in bound traffic.
Firewall is a very basic feature in any public cloud and it is surprising that it is missing in fly.io.
Yeah, this would be nice to have otherwise Cloudlfare can be easily bypassed and you lose the protection that they provide.