nginx geo whitelist and ssl snakeoil

gen-cert.sh

openssl req -x509 -newkey rsa:4096 -nodes -sha256 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -days 3650 -subj "/CN=<$PUBLIC_IP_ADDRESS>"

nginx.conf

geo $http_cf_connecting_ip $allowedip {
    default 0;
    1.2.3.4 1;
    5.6.7.8 1;
}

server {
   set_real_ip_from 0.0.0.0/0;
   real_ip_header CF-Connecting-IP;

   if ($allowedip = 0){
        return 403;
   }

    listen 80 default_server;

    server_name _;

    client_max_body_size 100M; # allow huge uploads, upto 100MB

    root /home/user/app/public; # serve static files from public dir with nginx

    try_files $uri @next; # serve static files with nginx, fallback to nextjs on not found

    location @next {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $http_cf_connecting_ip;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_pass http://127.0.0.1:3000;
    }

    #location /api {
    #     include proxy_params;
    #     proxy_pass http://127.0.0.1:3001;
    #}

    #location /images/ {
    #    root /home/user/app/public/; # will serve files in /path/to/public/images
    #}


    listen 443 ssl default_server;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
}

set_real_ip_from 0.0.0.0/0;
real_ip_header CF-Connecting-IP;
allow 1.2.3.4;
deny all;

https://www.cloudflare.com/ips-v4/
https://www.cloudflare.com/ips-v6/