1. Hudu Support
  2. Using Hudu
  3. Security

Using Hudu’s IP Access Control Feature Behind Cloudflare

Updated

Overview

Hudu’s IP Access Control feature allows you to restrict access to your instance based on client IP addresses. When using Cloudflare as a reverse proxy, additional configuration is required to ensure Hudu sees the real client IP and not a Cloudflare IP.

Why This Matters

Cloudflare proxies incoming traffic and replaces the visitor’s original IP with one of its own. Without the correct configuration, this can result in:

  • Incorrect IP restriction behavior
  • All traffic appearing to come from Cloudflare IPs
  • Potentially blocking valid users or logging inaccurate data

Configuration Steps

1. Modify the NGINX Configuration

Update the following files on your Hudu server:

File: /var/www/hudu2/config/nginx/nginx.conf

Add the following lines inside the http block:

real_ip_header CF-Connecting-IP;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_recursive on;

File: /var/www/hudu2/config/nginx/proxy.conf

Add the following line to the bottom of the file:

proxy_set_header CF-Connecting-IP $proxy_add_x_forwarded_for;

2. Restart Docker

Apply the configuration changes by restarting your Docker containers:

cd ~/hudu2
sudo docker compose down && sudo docker compose up -d

3. Enable IP Access Control in Hudu

  1. Log in to your Hudu instance as an admin
  2. Navigate to Admin > Security > IP Access Control
  3. Enable the toggle
  4. Add the IP addresses or CIDR blocks you wish to allow
  5. Click Save

Tips

  • Use a VPN or dynamic DNS if users don’t have static IPs
  • Test your configuration from multiple locations
  • Keep Cloudflare IP ranges updated in your configuration as needed

Troubleshooting

  • Issue: All users are blocked
    Cause: Cloudflare IPs are not being translated
    Solution: Ensure real_ip_header and set_real_ip_from are configured correctly in nginx.conf

  • Issue: Access logs show Cloudflare IPs
    Cause: Real client IP not passed through
    Solution: Confirm that proxy_set_header CF-Connecting-IP $proxy_add_x_forwarded_for; is added to proxy.conf

  • Issue: IP restrictions are not taking effect
    Cause: Configuration changes not applied
    Solution: Restart the Docker stack with docker compose down and up -d

Summary

To use IP Access Control with Hudu behind Cloudflare, you must configure NGINX to trust Cloudflare IP ranges and extract the original client IP using the CF-Connecting-IP header. Update the NGINX configuration files, restart Docker, and enable the IP restriction settings in the Hudu admin interface.

Was this article helpful?
0 out of 0 found this helpful