Cloudflare is a CDN, DNS, WAF, DDoS protection, and reverse proxy service. You need to use the ngx_http_realip_module module to change the client address sent in the specified header field such as CF-Connecting-IP or X-Forwarded-For. This shell script downloads a list of IPv4 and IPv6 address from Cloudflare and generates an updated /etc/nginx/cloudflare.real.ip.conf file:
#!/bin/bash # A simple shell script update Cloudflares IP addresses. # Tested on : Debian and Ubuntu servers and Nginx only # ---------------------------------------------------------------------------- # Author: Vivek Gite # Copyright: 2016 nixCraft under GNU GPL v2.0+ # ---------------------------------------------------------------------------- # Last updated 23 Apr 2017 # ---------------------------------------------------------------------------- ## source for IPv4 and IPv6 urls ## ipf='https://www.cloudflare.com/ips-v4' ips='https://www.cloudflare.com/ips-v6' ## temp file location ## t_ip_f="$(/bin/mktemp /tmp/cloudflare.XXXXXXXX)" t_ip_s="$(/bin/mktemp /tmp/cloudflare.XXXXXXXX)" ## nginx config for Cloudflare ## conf_out="/etc/nginx/cloudflare.real.ip.conf" ## grab files ## /usr/bin/wget -q -O $t_ip_f $ipf /usr/bin/wget -q -O $t_ip_s $ips ## generate it ## /usr/bin/awk '{ print "set_real_ip_from " $1 ";" }' $t_ip_f > $conf_out /usr/bin/awk '{ print "set_real_ip_from " $1 ";" }' $t_ip_s >> $conf_out echo 'real_ip_header CF-Connecting-IP;' >> $conf_out ## delete temp files ## [ -f "$t_ip_f" ] && /bin/rm -f $t_ip_f [ -f "$t_ip_s" ] && /bin/rm -f $t_ip_s ## reload nginx ## /bin/systemctl reload nginx
How do I use this script restore original visitor IP with Nginx?
Grab this script and store it somewhere like /root/bin/update.cloudflare.ip.sh. Install the following cronjob to update IPs every week:
@weekly /root/bin/update.cloudflare.ip.sh
Finally update your nginx.conf or domain specific config file /etc/nginx/sites-enabled/theos.in.conf
$ sudo vi /etc/nginx/sites-enabled/theos.in.conf
Append the following code in server/location context:
include "/etc/nginx/cloudflare.real.ip.conf";
Save and close the file. Run the script for first time:
$ sudo chmod +x /root/bin/update.cloudflare.ip.sh
$ sudo /root/bin/update.cloudflare.ip.sh
Here is a sample etc/nginx/cloudflare.real.ip.conf:
set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; real_ip_header CF-Connecting-IP;