Image source :
https://community.cloudflare.com/t/how-can-i-password-protect-a-subdomain/185543
How do i acomplish that "limit connections to origin to allow only cloudflare ips" ? Do i need to add the ip's to firewall wan zone's subnet list, or lan zone's subnet list, or both, or other place ?
Is your question OpenWrt related in some way?
If so - in order to assist you, please [clearly and concisely] explain how it's related to OpenWrt.
You are free to firewall any IPs you desire - so perhaps you want to better explain the issue you're experiencing.
i mean, how to allow global connection to my openwrt device only from cloudflare ip's (cloudflare.com/ips-v4)
i created an "online trigger" following this tutorial [OpenWrt Wiki] Hotplug extras
and then create a shell script to fetch the cloudflare ip with below code :
#!/bin/sh
logger -t "Custom Script - CFFW" "Updating cloudflare IPs"
if curl -X GET https://www.cloudflare.com/ips-v4 >/tmp/cloudflareips;then
logger -t "Custom Script - CFFW" "Obtained cloudflare ip list"
for cfip in $(cat /tmp/cloudflareips);do
for firewall_zone in $(uci -X show firewall | grep "=zone$" | awk -F"=" '{print $1}');do
zone_name=$(uci get ${firewall_zone}.name) &&
case ${zone_name} in
wan)
#
logger -t "Custom Script - CFFW" "Add ${cfip} to ${zone_name} firewall zone"
uci -q del_list ${firewall_zone}.subnet="${cfip}" &&
uci add_list ${firewall_zone}.subnet="${cfip}" &&
uci commit ${firewall_zone}.subnet
;;
esac
done
done
logger -t "Custom Script - CFFW" "Reload firewall"
/etc/init.d/firewall reload
else
logger -t "Custom Script - CFFW" "Failed to obtain cloudflare ip list"
fi
exit 0
but it doesn't seem right
It's not really clear what that means. So using what I can determine from your script, I'll give an example for allowing the IPs on the WAN zone.
Interesting script...not sure what "trigger", etc - but nonetheless I would do something like this and add it to a cron job (if you want to write the fail loop and logger events, I'll leave you to work on that). Also in my example, I'll be using wget, since curl is not installed by default and the UCI method of just editing the respective config files (instead of scripting uci commands):
#!/bin/sh
cd /tmp || exit 1
###########################
rm /tmp/cloudflareips.txt
wget "https://www.cloudflare.com/ips-v4" -O ->> /tmp/cloudflareips.txt
fw4 reload-sets
exit 0
Declaring the set in the firewall:
# in /etc/config/firewall
config ipset
option name 'cloudflareips'
option match 'src_net'
option loadfile '/tmp/cloudflareips.txt'
Here's an example firewall rule:
# in /etc/config/firewall
config rule
option name 'Allow_cloudflareips'
option src 'wan'
option family 'ipv4'
option proto 'all'
option ipset 'cloudflareips'
option target 'ACCEPT'