Cloudflare source IP filtering with Authorization Policy possible?

I am trying to find a way to use an Authorization Policy to filter on the Cloudflare cf-connecting-ip. Since we proxy all our requests using Cloudflare we are not able to get the source ip directly so the from matchers in the Authorization Policy wont work.

I was able to do this pretty easily with a list checker but I understand that this is deprecated and will be removed soon.

Any ideas?

Looking at the Cloudflare documentation https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-, it looks like If there was no existing X-Forwarded-For header in the request sent to Cloudflare, X-Forwarded-For has an identical value to the CF-Connecting-IP header, any chance to use X-Forwarded-For in your case?

We just merged a PR (hopefully will be in 1.8) to support the X-Forwarded-For in the remoteIp field in Authz: https://github.com/istio/istio/pull/27906

Yeah I think that would address this particular case. Thank you.

@YangminZhu Is it possible for these lists to be provided via HTTP APIs like they were in the old list handlers?