Cloudflare is a CDN, DNS, WAF, DDoS protection, and reverse proxy service. You need to use the ngx_http_realip_module module to change the client address sent in the specified header field such as CF-Connecting-IP or X-Forwarded-For. This shell script downloads a list of IPv4 and IPv6 address from Cloudflare and generates an updated /etc/nginx/cloudflare.real.ip.conf file:
#!/bin/bash # A simple shell script update Cloudflares IP addresses. # Tested on : Debian and Ubuntu servers and Nginx only # ---------------------------------------------------------------------------- # Author: Vivek Gite # Copyright: 2016 nixCraft under GNU GPL v2.0+ # ---------------------------------------------------------------------------- # Last updated 23 Apr 2017 # ---------------------------------------------------------------------------- ## source for IPv4 and IPv6 urls ## ipf='https://www.cloudflare.com/ips-v4' ips='https://www.cloudflare.com/ips-v6' ## temp file location ## t_ip_f="$(/bin/mktemp /tmp/cloudflare.XXXXXXXX)" t_ip_s="$(/bin/mktemp /tmp/cloudflare.XXXXXXXX)" ## nginx config for Cloudflare ## conf_out="/etc/nginx/cloudflare.real.ip.conf" ## grab files ## /usr/bin/wget -q -O $t_ip_f $ipf /usr/bin/wget -q -O $t_ip_s $ips ## generate it ## /usr/bin/awk '{ print "set_real_ip_from " $1 ";" }' $t_ip_f > $conf_out /usr/bin/awk '{ print "set_real_ip_from " $1 ";" }' $t_ip_s >> $conf_out echo 'real_ip_header CF-Connecting-IP;' >> $conf_out ## delete temp files ## [ -f "$t_ip_f" ] && /bin/rm -f $t_ip_f [ -f "$t_ip_s" ] && /bin/rm -f $t_ip_s ## reload nginx ## /bin/systemctl reload nginx
How do I use this script restore original visitor IP with Nginx?
Grab this script and store it somewhere like /root/bin/update.cloudflare.ip.sh. Install the following cronjob to update IPs every week:
@weekly /root/bin/update.cloudflare.ip.sh
Finally update your nginx.conf or domain specific config file /etc/nginx/sites-enabled/theos.in.conf
$ sudo vi /etc/nginx/sites-enabled/theos.in.conf
Append the following code in server/location context:
include "/etc/nginx/cloudflare.real.ip.conf";
Save and close the file. Run the script for first time:
$ sudo chmod +x /root/bin/update.cloudflare.ip.sh
$ sudo /root/bin/update.cloudflare.ip.sh
Here is a sample etc/nginx/cloudflare.real.ip.conf:
set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; real_ip_header CF-Connecting-IP;
References
- RSS feed or Weekly email newsletter
- Share to Twitter • Facebook • 0 comments... add one ↓
Script to update user password in batch mode using pwgen and chpasswd
Linux/Unix bash shell script to purge Cloudflare url/images from the…
Shell Script To Start FastCGI PHP Server For Nginx Web Server
Nginx Shell Script To Block Spamhaus Lasso Drop Spam IP Address
nginx Chroot Helper Bash Shell Script To Copy Libs To /lib64 and /usr/lib64
RHEL / CentOS Linux: Nginx Chroot Jail Start / Stop / Restart Shell Script
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |