Shell script to update original visitor IP for nginx when using Cloudflare

Cloudflare is a CDN, DNS, WAF, DDoS protection, and reverse proxy service. You need to use the ngx_http_realip_module module to change the client address sent in the specified header field such as CF-Connecting-IP or X-Forwarded-For. This shell script downloads a list of IPv4 and IPv6 address from Cloudflare and generates an updated /etc/nginx/cloudflare.real.ip.conf file:

#!/bin/bash
# A simple shell script update Cloudflares IP addresses.
# Tested on : Debian and Ubuntu servers and Nginx only
# ----------------------------------------------------------------------------
# Author: Vivek Gite 
# Copyright: 2016 nixCraft under GNU GPL v2.0+
# ----------------------------------------------------------------------------
# Last updated 23 Apr 2017
# ----------------------------------------------------------------------------
## source for IPv4 and IPv6 urls ##
ipf='https://www.cloudflare.com/ips-v4'
ips='https://www.cloudflare.com/ips-v6'
 
## temp file location ##
t_ip_f="$(/bin/mktemp /tmp/cloudflare.XXXXXXXX)"
t_ip_s="$(/bin/mktemp /tmp/cloudflare.XXXXXXXX)"
 
## nginx config for Cloudflare ##
conf_out="/etc/nginx/cloudflare.real.ip.conf"
 
## grab files ##
/usr/bin/wget -q -O $t_ip_f $ipf
/usr/bin/wget -q -O $t_ip_s $ips
 
## generate it ##
/usr/bin/awk '{ print "set_real_ip_from " $1 ";" }' $t_ip_f > $conf_out
/usr/bin/awk '{ print "set_real_ip_from " $1 ";" }' $t_ip_s >> $conf_out
echo 'real_ip_header CF-Connecting-IP;' >> $conf_out
 
## delete temp files ##
[ -f "$t_ip_f" ] && /bin/rm -f $t_ip_f
[ -f "$t_ip_s" ] && /bin/rm -f $t_ip_s
 
## reload nginx ##
/bin/systemctl reload nginx

How do I use this script restore original visitor IP with Nginx?

Grab this script and store it somewhere like /root/bin/update.cloudflare.ip.sh. Install the following cronjob to update IPs every week:

@weekly /root/bin/update.cloudflare.ip.sh

Finally update your nginx.conf or domain specific config file /etc/nginx/sites-enabled/theos.in.conf
$ sudo vi /etc/nginx/sites-enabled/theos.in.conf
Append the following code in server/location context:

include "/etc/nginx/cloudflare.real.ip.conf";

Save and close the file. Run the script for first time:
$ sudo chmod +x /root/bin/update.cloudflare.ip.sh
$ sudo /root/bin/update.cloudflare.ip.sh

Here is a sample etc/nginx/cloudflare.real.ip.conf:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

References

Get the latest tutorials on SysAdmin, Linux/Unix, Open Source, and DevOps topics:
Category List of Unix and Linux commands
File Management cat
Firewall Alpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilities dig host ip nmap
OpenVPN CentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Manager apk apt
Processes Management bg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searching grep whereis which
User Information groups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPN Alpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.