Goal: to explain our scenario

We currently want to setup a reverse proxy in front of CloudFlare. It means that we want to have lots of domains hosted on some custom IPs, and they all will take content from CloudFlare protected origin. We want to use CloudFlare rate limits and WAF to implement DDOS protection of our origin server. We are aware that our reverse proxies are not protected in that case, it's ok. We just need to protect our origin.

We are looking how to trust x-forwarded-for header from cloudflare side. If we can explain to CF that actual user IP is coming from header, the rate limits and other rules will be correctly applied.

What we have tried

We have tried different approaches:

• cloudlfare worker, that sets X-Real-IP header to the IP restored from x-forwarded-for
• transform rules

But all of them give no result - rate limits always applied to reverse proxy, not to end user.

We know that SoftSwiss makes use of some PVS feature, that works like: kingbillycasino.com CNAME kingbilly-integration.com where kingbillycasino.com is a domain on CF with proxying enabled, and kingbilly-integration.com is a custom hostname on another cloudflare account which is an origin for us.

In that case integration domain correctly handles IP's, with rate-limits, waf etc working as is was facing users directly