-
-
Save mkg20001/1a4f0a5a3f55c194cc4998019edfa62a to your computer and use it in GitHub Desktop.
#!/bin/bash | |
set -e | |
cf_ips() { | |
echo "# https://www.cloudflare.com/ips" | |
for type in v4 v6; do | |
echo "# IP$type" | |
curl -sL "https://www.cloudflare.com/ips-$type/" | sed "s|^|allow |g" | sed "s|\$|;|g" | |
echo | |
done | |
echo "# Generated at $(LC_ALL=C date)" | |
} | |
cf_ips > allow-cloudflare.conf | |
(cf_ips && echo "deny all; # deny all remaining ips") > allow-cloudflare-only.conf |
iplist urls changed - slash added.
from https://www.cloudflare.com/ips-v4 to https://www.cloudflare.com/ips-v4/
thx, updated the script
Shouldn't there be a check that curl returns a 200 status before overwriting the conf file?
thanks @zhil - this probably saved a future me a good bit of troubleshooting
@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?
@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?
On each server block, I check if the IP is coming from a known list of CF IPs and non CF IPs get 403s: if ($cloudflare_ip != 1) { return 403; }
Thank you @poldim. Sorry if this is a dumb question, but how do you populate $cloudflare_ip
? would you be able to share a snippet?
Take a look at this: ergin/nginx-cloudflare-real-ip#3
For some reason https://www.cloudflare.com/ips-$type could not be read, because of which this script generated a config file that blocked all traffic, effectively taking down my site. Is there anything we can do to prevent this?