How to prevent access to a whitelist of IPS, exclude public paths allow for CDN access?

I have a staging server that I want to have a whitelis开发者_开发问答t of IPs for.

Problem is, the staging server uses an origin server that needs to hit the staging server. It's Amazon's CloudFront which has no static IPs we can use.

Anyone have any ideas on how I can write something that does something like this.

1. Given the @whitelist_ips, they access everything.
2. Otherwise, everything is blocked except for /assets and anything in the public directory?

Ideas? Assistance? Thanks

You'll need to check the X-Forwarded-For header which CloudFront sends with the remote IP from where the request originated and check that against your whitelist.

This post: http://kev.in/2007/08/26/how-to-obtain-the-ip-address-of-the-current-user.html suggests that request.remote_ip may already check X-Forwarded-For.