vicidial.org

Hello All,

Here is what I have achieved so far.
Setup Cloudlfare SSL for Apache2, dynprtal, viciphone and asterisk web socket (Fully Working)
Configured page rules and everything else in cloudflare to make it work

The issue is with the Dynportal. When I whitelist my IP. It should ideally take client machine IP, but instead its grabbing one of the proxy IP of client's nearest Cloudflare node.

I changed $remoteip=$_SERVER['REMOTE_ADDR'] to $remoteip=$_SERVER['HTTP_X_FORWARDED_FOR'] , It works but there are two issues with that.
1. Its a security risk
2. It does not whitelist (dynamic) the IP

Please advise..

You miss an obvious concept: Your agents are access the server through cloudflare. The traffic is not coming from the agent's IP to your server's IP. Thus IPTables/NFTables (or any other firewall based on IP) will only see the IP of the Cloudflare uplink, not the IP of the agent in question.

To use dynamic IP on the Vicidial server you may need to use the true-client-ip header and build a complete system around that true IP into the apache server. This, of course, is both cumbersome and expensive since the true-client-ip header is only available on enterprise cloudflare.

However: You COULD dual home the server's dns. Give it two subdomains. Use one for Dynamic (which will pass through Cloudflare). This will then add the agent's true IP address to the dynamic IP list allowing the agent to access the secondary dns subdomain from their true IP. The secondary dns would not be proxied and would ONLY be accessible to authorized IPs.

For this to work you will need the agent's True IP address (which is expensive through Cloudflare) but could be available via a javascript AJAX call in the dynamic portal.