ergin / nginx-cloudflare-real-ip Goto Github PK

This project aims to modify your nginx configuration to let you get the real ip address of your visitors.

License: Apache License 2.0

Shell 100.00%

nginx-cloudflare-real-ip's Introduction

Get Real Visitor IP Address (Restoring Visitor IPs) with Nginx and CloudFlare

This project aims to modify your nginx configuration to let you get the real ip address of your visitors for your web applications that behind of Cloudflare's reverse proxy network. Bash script can be scheduled to create an automated up-to-date Cloudflare ip list file.

To provide the client (visitor) IP address for every request to the origin, Cloudflare adds the "CF-Connecting-IP" header. We will catch the header and get the real ip address of the visitor.

Nginx Configuration

With a small configuration modification we can integrate replacing the real ip address of the visitor instead of getting CloudFlare's load balancers' ip addresses.

Open "/etc/nginx/nginx.conf" file with your favorite text editor and just add the following lines to your nginx.conf inside http{....} block.

include /etc/nginx/cloudflare;

The bash script may run manually or can be scheduled to refresh the ip list of CloudFlare automatically.

#!/bin/bash

CLOUDFLARE_FILE_PATH=/etc/nginx/cloudflare

echo "#Cloudflare" > $CLOUDFLARE_FILE_PATH;
echo "" >> $CLOUDFLARE_FILE_PATH;

echo "# - IPv4" >> $CLOUDFLARE_FILE_PATH;
for i in `curl -s -L https://www.cloudflare.com/ips-v4`; do
    echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH;
done

echo "" >> $CLOUDFLARE_FILE_PATH;
echo "# - IPv6" >> $CLOUDFLARE_FILE_PATH;
for i in `curl -s -L https://www.cloudflare.com/ips-v6`; do
    echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH;
done

echo "" >> $CLOUDFLARE_FILE_PATH;
echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_FILE_PATH;

#test configuration and reload nginx
nginx -t && systemctl reload nginx

Output

Your "/etc/nginx/cloudflare" file may look like as below;

#Cloudflare ip addresses

# - IPv4
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;

# - IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;

Crontab

Change the location of "/opt/scripts/cloudflare-ip-whitelist-sync.sh" anywhere you want. CloudFlare ip addresses are automatically refreshed every day, and nginx will be realoded when synchronization is completed.

# Auto sync ip addresses of Cloudflare and reload nginx
30 2 * * * /opt/scripts/cloudflare-ip-whitelist-sync.sh >/dev/null 2>&1

License

Apache 2.0

DISCLAIMER

Please note: all tools/ scripts in this repo are released for use "AS IS" without any warranties of any kind, including, but not limited to their installation, use, or performance. We disclaim any and all warranties, either express or implied, including but not limited to any warranty of noninfringement, merchantability, and/ or fitness for a particular purpose. We do not warrant that the technology will meet your requirements, that the operation thereof will be uninterrupted or error-free, or that any errors will be corrected.

Any use of these scripts and tools is at your own risk. There is no guarantee that they have been through thorough testing in a comparable environment and we are not responsible for any damage or data loss incurred with their use.

You are responsible for reviewing and testing any scripts you run thoroughly before use in any non-testing environment.

Thanks,
Ergin BULUT

nginx-cloudflare-real-ip's People

Contributors

Stargazers

Watchers

Forkers

bugparty fliptalk thanatosdi kjra1707 ttys3 sumonst21 jackzhou121 adampielak asaq fadlee-archive rx7910 showfom andremoreno tiquqi0530 danibaumann sreejeshmohant madmesi muncherelli n0rthernl1ghts greenus onehostcloud goregrish pompermaier andrewnimmo juhlinus pindank 6run0 elieserme adamus1red phongjimmy raytracy bbcreation data-peace xiaoyumo rokoman rahimigit gojosatoru0x1 chrishardie jaba0x floder91 icquu spankders agemarks ashrafdev 0xben 5l1v3r1 backendrulz msti vpslala denis-ev lyh16 angajatco angajat-co labdiynez gustavmk glugluglu maxnomad ming86 heartshare adriatikmehmeti wenullapp wladimir-n vladonv ihor-lev musacanminaz tkt028 subnet lostonyx edrcq punkice3407 perovxp coresh catport leo-lin-wishmobile bat-bite o-kucheriavyi jaapmarcus kan0s ibrahims2 hxlxmjxbbxs wlmsx buunt volkansenturk2012 jthigh eltomat omerkoseoglu nghigd9 pvamos coyy samiurprapon bogwero rnavarro slamj1 gino-20 balintbanyasz rasatlas guillaumebriday blissjoe-gvsu naoray shopwhizzy

nginx-cloudflare-real-ip's Issues

Script stop working correctly.

Hello. The scripts works correctly, but I don't know when is stopped.
The problem IP addresses are missing in file /etc/nginx/cloudflare

[root@server ~]# cat /etc/nginx/cloudflare
#Cloudflare

- IPv4

- IPv6

real_ip_header CF-Connecting-IP;
[root@server ~]#

I try to download the script again, but its not working. If I run in manualy here is the output:

[root@server~]# /usr/scripts/cloudflare-sync-ips.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

but in the file /etc/nginx/cloudflare IPs are missing.

Solution to detect the real ip while blocking non cloudflare

I'll post here the final approach I took to get at the same time

Block non cloudflare IPs (per server)
Identify incoming ips
No need for a firewall
Add to nginx.conf (http scope):

geo $realip_remote_addr $cloudflare_ip {
        default          0;
        103.21.244.0/22  1;
        103.22.200.0/22  1;
        103.31.4.0/22    1;
        104.16.0.0/12    1;
        108.162.192.0/18 1;
        131.0.72.0/22    1;
        141.101.64.0/18  1;
        162.158.0.0/15   1;
        172.64.0.0/13    1;
        173.245.48.0/20  1;
        188.114.96.0/20  1;
        190.93.240.0/20  1;
        197.234.240.0/22 1;
        198.41.128.0/17  1;
        199.27.128.0/21  1;
    }

In the server block:

location /route/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:8051/;
        proxy_redirect off;
        if ($cloudflare_ip != 1) {
            return 403;
        }
        include /etc/nginx/snippets/allow_cloudflare.conf;
        deny all;
    }

Being allow_cloudflare.conf the following:

allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 104.16.0.0/12;
allow 108.162.192.0/18;
allow 131.0.72.0/22;
allow 141.101.64.0/18;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 173.245.48.0/20;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;

real_ip_header CF-Connecting-IP;

This works like a charm, if you still want extra security you can configure the firewall to block the other ips but it's not needed.

Alternative approach using sed and some for loop variables

Hello @ergin and thank you very much for your work on this script, I came across it a few times and finally implemented your research into my SlickStack script after several users asked for it.

This is not so much a feature request, but in case you wanted to share an alternative way to build cloudflare.conf using sed and an existing boilerplate, it seems to work okay...

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-nginx-cloudflare-ips.txt

## ipv4 list ##
CLOUDFLARE_IPV4_LIST=$(for i in `curl -s -L https://www.cloudflare.com/ips-v4`; do
    echo "set_real_ip_from $i;" >> /tmp/ips-v4.txt;
done)

sed -i -e '/@CLOUDFLARE_IPV4_LIST/{r /tmp/ips-v4.txt' -e 'd' -e '}' "${TMP_CLOUDFLARE_CONF}"

## ipv6 list ##
CLOUDFLARE_IPV6_LIST=$(for i in `curl -s -L https://www.cloudflare.com/ips-v6`; do
    echo "set_real_ip_from $i;" >> /tmp/ips-v6.txt;
done)

sed -i -e '/@CLOUDFLARE_IPV6_LIST/{r /tmp/ips-v6.txt' -e 'd' -e '}' "${TMP_CLOUDFLARE_CONF}"

This is an example boilerplate:

https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/includes/cloudflare-conf.txt

And the placeholders in the boilerplate @CLOUDFLARE_IPV4_LIST and @CLOUDFLARE_IPV6_LIST get replaced via sed using your nifty bash for loop and a few tmp files.

Anyway I had never used sed this way before so just wanted to share. Thanks!

P.S. we credited you in the script comments at the bottom

Run with NPM in docker container

Hello,

How do I run this when nginx proxy manager is running in a docker container?

I'm binding a folder into /etc/nginx/ and a data folder into /data. Within data, I created a file called http.conf in /data/nginx/custom added the following line to it (see here:

include /etc/nginx/cloudflare;

I added the file "cloudflare" to the folder I'm mounting to /etc/nginx/ like described in the instructions. I'm now struggling to create the cron tab to run the script. I found this, to setup a crontab, but it seems fairly complicated and I'm unsure whether it works or not.

After I setup everything, I connected to the sh shell of my container using portainer and ran the script, but I got this error:

nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

Also, I'd prefer to have this happen in real time so that my NPM logs reflect the real IPs right away.

Blocking connections not from cloudflare

This system works fine to add the source ip to the apache logs, the problem is that after this you can't block the traffic not comming from cloudflare because it's identified with the real ip. Have you accomplished this?