Skip to content

makhomed/nginx-cloudflare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
nginx-cloudflare
nginx-cloudflare
 
 
tox.ini
tox.ini
 
 

Repository files navigation

nginx-cloudflare (version 1.2.4)

Set client real IP for nginx behind Cloudflare.

Since Cloudflare acts as a reverse proxy, all connections come from one of Cloudflare's IP addresses. Cloudflare includes the originating IP address in the CF-Connecting-IP header.

This script, enabled in the cron, allow automatically maintaining an up to date list of Cloudflare ip addresses and reloading nginx if these addresses changed after update.

First block of generated files, /etc/nginx/include/cloudflare.conf, /etc/nginx/include/cloudflare_ipv4.conf, /etc/nginx/include/cloudflare_ipv6.conf, contains settings for nginx realip module, allowing nginx to restore real client IP from the CF-Connecting-IP header.

Second block of generated files, /etc/nginx/include/from_cloudflare.conf, /etc/nginx/include/from_cloudflare_ipv4.conf, /etc/nginx/include/from_cloudflare_ipv6.conf, contains settings for nginx realip module, but only set_real_ip_from directives, allowing to manually configure real_ip_header directive to use X-Forwarded-For header from Cloudflare or True-Client-IP header from Cloudflare or CF-Connecting-IP header from Cloudflare, or any other future HTTP request headers, added by Cloudflare to proxied request from client.

Third block of generated files, /etc/nginx/include/not_cloudflare.conf, /etc/nginx/include/not_cloudflare_ipv4.conf, /etc/nginx/include/not_cloudflare_ipv6.conf, contains settings for nginx geo module, allow blocking all non-cloudflare IPs in server context, blocking direct access to site, if anyone will try to bypassing Cloudflare. Such blocking at nginx level may be required, if nftables-tool not used, and system nftables permits simultaneously both types of connections - for some sites - direct connections from clients, and for some sites - only proxied connections via IP addresses from Cloudflare networks. In this case - not_cloudflare.conf files can help to permit only requests from Cloudflare IPs for some sites with minimal overhead.

Installation

Important

Python 3.8+ and Jinja2, requests, invoke modules required

dnf -y install python3 python3-pip ; \
python3 -m pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
cd /opt ; git clone https://github.com/makhomed/nginx-cloudflare.git

Upgrade

python3 -m pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
cd /opt/nginx-cloudflare ; git pull

Usage

/opt/nginx-cloudflare/nginx-cloudflare

or

/opt/nginx-cloudflare/nginx-cloudflare 172.21.0.0/16 2001:DB8:11:22::/64 2001:DB8:99:77::/64

Automation via cron

Configure cron job, for example, in file /etc/cron.d/nginx-cloudflare:

RANDOM_DELAY=360

0 0 * * * root /opt/nginx-cloudflare/nginx-cloudflare

or

RANDOM_DELAY=360

0 0 * * * root /opt/nginx-cloudflare/nginx-cloudflare 172.21.0.0/16 2001:DB8:1:2::/64 2001:DB8:8:9::/64

nginx configuration in http context

    include /etc/nginx/include/cloudflare.conf;

    geo $realip_remote_addr $not_cloudflare {
        include /etc/nginx/include/not_cloudflare.conf;
    }

nginx configuration in server context

    if ($not_cloudflare) { return 444; }

About

Set client real ip for nginx behind Cloudflare

Topics

nginx cloudflare real-ip

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages