Skip to content

Instantly share code, notes, and snippets.

@mkg20001
Last active May 18, 2024 12:45
Show Gist options
  • Save mkg20001/1a4f0a5a3f55c194cc4998019edfa62a to your computer and use it in GitHub Desktop.
Save mkg20001/1a4f0a5a3f55c194cc4998019edfa62a to your computer and use it in GitHub Desktop.
A script to generate a config to allow or additionally allow cloudflare addresses for a specific domain
#!/bin/bash
set -e
cf_ips() {
echo "# https://www.cloudflare.com/ips"
for type in v4 v6; do
echo "# IP$type"
curl -sL "https://www.cloudflare.com/ips-$type/" | sed "s|^|allow |g" | sed "s|\$|;|g"
echo
done
echo "# Generated at $(LC_ALL=C date)"
}
cf_ips > allow-cloudflare.conf
(cf_ips && echo "deny all; # deny all remaining ips") > allow-cloudflare-only.conf
@poldim
Copy link

poldim commented Jun 14, 2021

I'm using real_ip_header CF-Connecting-IP to configure my client IP as WAN IP of the external device making the request. But this will never match the allow list your script generates. Any idea how to check in which header CF is passing along it's IP request? I'd then need to set nginx to check that header against this allow list.

@mischa78
Copy link

mischa78 commented Feb 23, 2022

For some reason https://www.cloudflare.com/ips-$type could not be read, because of which this script generated a config file that blocked all traffic, effectively taking down my site. Is there anything we can do to prevent this?

@zhil
Copy link

zhil commented Feb 23, 2022

iplist urls changed - slash added.
from https://www.cloudflare.com/ips-v4 to https://www.cloudflare.com/ips-v4/

@mkg20001
Copy link
Author

thx, updated the script

@mischa78
Copy link

mischa78 commented Feb 23, 2022

Shouldn't there be a check that curl returns a 200 status before overwriting the conf file?

@poldim
Copy link

poldim commented Feb 23, 2022

thanks @zhil - this probably saved a future me a good bit of troubleshooting

@gingerlime
Copy link

@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?

@poldim
Copy link

poldim commented Sep 25, 2022

@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?

On each server block, I check if the IP is coming from a known list of CF IPs and non CF IPs get 403s: if ($cloudflare_ip != 1) { return 403; }

@gingerlime
Copy link

Thank you @poldim. Sorry if this is a dumb question, but how do you populate $cloudflare_ip? would you be able to share a snippet?

@poldim
Copy link

poldim commented Sep 26, 2022

Take a look at this: ergin/nginx-cloudflare-real-ip#3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment