I have several sites setup on my lan that can be accessed through haproxy running on a pfSense appliance. My sites all go through Cloudflare and pfSense + haproxy supply the certs for each site. I have every request for port 443 or 80 go to haproxy which first checks if the source IP is from Cloudflare and, if so, forwards it to the proper backend.
What I’d like to do is check the CF-Connecting-IP (X-Forwarded-For from Cloudflare) for bad IPs before forwarding to the backend. I have seen ways to do this using haproxy, but not by using the GUI, which is the only option available with haproxy on pfsense as far as I know.
To sum up, WAN → HA → (if from CF && cf-connecting-ip not in badips) → forward to backend (else reject)