I'm now using CloudFlare (a CDN service) for tuxz.net which provides various features (Antispam, Web Application Firewall...).
One cool thing : they provide the full IP ranges of their platform so you can easily lock down your origin to only accept connections coming from the CloudFlare network.
Unfortunately, I'm hosting websites that don't use CloudFlare, so I can't put these restrictions directly in my firewall ... so let's have some fun at L7 with HAProxy & ACL feature.
The use of Access Control Lists (ACL) provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status. You can combine them to decide what to do with an incoming request (block, pass to a backend server ...).
In my case, I want to block all requests not targetted to the hosting platform which are not coming through the CloudFlare network, see below for the corresponding HAProxy configuration section :
frontend HTTP [...] # # Block all requests not coming from CloudFlare Network # acl cloudflare_valid_ip src -f /etc/haproxy/cloudflareIPs block if !host_hdr_hosting !cloudflare_valid_ip use_backend web.tuxz.net if host_hdr_tuxz use_backend hosting.tuxz.net if host_hdr_hosting
The "/etc/haproxy/cloudflareIPs" is basically a local copy of https://www.cloudflare.com/ips-v4, which is updated each time a new IP Range is added. Don't forget to follow updates !