Sahara云大数据>> nginx-cloudflare>> 返回
项目作者: makhomed

项目描述 :
Set client real ip for nginx behind cloudflare
高级语言: Python
项目地址: git://github.com/makhomed/nginx-cloudflare.git
创建时间: 2021-06-04T10:06:12Z
项目社区:https://github.com/makhomed/nginx-cloudflare
开源协议:GNU General Public License v3.0
下载


nginx-cloudflare (version 1.2.4)

Set client real IP for nginx behind Cloudflare.

Since Cloudflare acts as a reverse proxy, all connections come from one of Cloudflare’s IP addresses.
Cloudflare includes the originating IP address in the
CF-Connecting-IP
header.

This script, enabled in the cron, allow automatically maintaining an up to date
list of Cloudflare ip addresses
and reloading nginx if these addresses changed after update.

First block of generated files, /etc/nginx/include/cloudflare.conf,
/etc/nginx/include/cloudflare_ipv4.conf, /etc/nginx/include/cloudflare_ipv6.conf,
contains settings for nginx realip module,
allowing nginx to restore real client IP from the
CF-Connecting-IP
header.

Second block of generated files, /etc/nginx/include/from_cloudflare.conf,
/etc/nginx/include/from_cloudflare_ipv4.conf, /etc/nginx/include/from_cloudflare_ipv6.conf,
contains settings for nginx realip module,
but only set_real_ip_from directives,
allowing to manually configure real_ip_header directive
to use X-Forwarded-For header
from Cloudflare or True-Client-IP
header from Cloudflare or CF-Connecting-IP header
from Cloudflare, or any other future HTTP request headers, added by Cloudflare to proxied request from
client.

Third block of generated files, /etc/nginx/include/not_cloudflare.conf,
/etc/nginx/include/not_cloudflare_ipv4.conf, /etc/nginx/include/not_cloudflare_ipv6.conf,
contains settings for nginx geo module,
allow blocking all non-cloudflare IPs in server context, blocking direct access to site,
if anyone will try to bypassing Cloudflare. Such blocking at nginx level may be required,
if nftables-tool not used,
and system nftables permits simultaneously both types of connections - for some sites -
direct connections from clients, and for some sites - only proxied connections via IP addresses from Cloudflare networks.
In this case - not_cloudflare.conf files can help to permit only requests from Cloudflare IPs for some sites with minimal overhead.

Installation

[!IMPORTANT]
Python 3.8+ and Jinja2, requests, invoke modules required

  1. dnf -y install python3 python3-pip ; \
  2. python3 -m pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
  3. cd /opt ; git clone https://github.com/makhomed/nginx-cloudflare.git

Upgrade

  1. python3 -m pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
  2. cd /opt/nginx-cloudflare ; git pull

Usage

  1. /opt/nginx-cloudflare/nginx-cloudflare

or

  1. /opt/nginx-cloudflare/nginx-cloudflare 172.21.0.0/16 2001:DB8:11:22::/64 2001:DB8:99:77::/64

Automation via cron

Configure cron job, for example, in file /etc/cron.d/nginx-cloudflare:

  1. RANDOM_DELAY=360
  3. 0 0 * * * root /opt/nginx-cloudflare/nginx-cloudflare

or

  1. RANDOM_DELAY=360
  3. 0 0 * * * root /opt/nginx-cloudflare/nginx-cloudflare 172.21.0.0/16 2001:DB8:1:2::/64 2001:DB8:8:9::/64

nginx configuration in http context

  1.     include /etc/nginx/include/cloudflare.conf;
  3.     geo $realip_remote_addr $not_cloudflare {
  4.         include /etc/nginx/include/not_cloudflare.conf;
  5.     }

nginx configuration in server context

  1.     if ($not_cloudflare) { return 444; }