Last active
April 5, 2024 07:41
-
-
Save mkg20001/1a4f0a5a3f55c194cc4998019edfa62a to your computer and use it in GitHub Desktop.
A script to generate a config to allow or additionally allow cloudflare addresses for a specific domain
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| cf_ips() { | |
| echo "# https://www.cloudflare.com/ips" | |
| for type in v4 v6; do | |
| echo "# IP$type" | |
| curl -sL "https://www.cloudflare.com/ips-$type/" | sed "s|^|allow |g" | sed "s|\$|;|g" | |
| echo | |
| done | |
| echo "# Generated at $(LC_ALL=C date)" | |
| } | |
| cf_ips > allow-cloudflare.conf | |
| (cf_ips && echo "deny all; # deny all remaining ips") > allow-cloudflare-only.conf |
@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?
@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?
On each server block, I check if the IP is coming from a known list of CF IPs and non CF IPs get 403s: if ($cloudflare_ip != 1) { return 403; }
Thank you @poldim. Sorry if this is a dumb question, but how do you populate $cloudflare_ip? would you be able to share a snippet?
Take a look at this: ergin/nginx-cloudflare-real-ip#3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks @zhil - this probably saved a future me a good bit of troubleshooting