Skip to content

Instantly share code, notes, and snippets.

@WoozyMasta

WoozyMasta/README.md

Last active May 23, 2023 20:02
Show Gist options
  • Save WoozyMasta/602035f50156a812c20e259189da1422 to your computer and use it in GitHub Desktop.
Save WoozyMasta/602035f50156a812c20e259189da1422 to your computer and use it in GitHub Desktop.
Download ZIP
Script for Nginx/Openresty to restore up-to-date source IP addresses of visitors from Cloudflare
Raw
README.md

Renew source IP addresses from Cloudflare

Script for Nginx/Openresty to restore up-to-date source IP addresses of visitors from Cloudflare

Installation

Set params like NGINX_BIN_PATH and CLOUDFLARE_CONFIG_PATH

echo "NGINX_BIN_PATH=/usr/bin/openresty" > /etc/cloudflare-real-ip-update.env

Create dirs

mkdir -p /etc/nginx/includes.d /opt/scripts

Download files

gist_url=https://gist.githubusercontent.com/WoozyMasta/602035f50156a812c20e259189da1422
script_name=cloudflare-real-ip-update

get_gist() { curl -sSfL "$gist_url/raw/$2" -o "$1/$2"; }

# Download files
get_gist /etc/systemd/system "$script_name.service"
get_gist /etc/systemd/system "$script_name.timer"
get_gist /opt/scripts "$script_name.sh"
chmod +x /opt/scripts/"$script_name.sh"

Edit nginx.conf, comment real_ip_header and real_ip_recursive if exists and add include for cloudflare-ip.conf

{
  ...
  # real_ip_header      X-Forwarded-For;
  # real_ip_recursive   on;
  include  includes.d/cloudflare-ip.conf;
}

Edit timer shedule if needed

editor "/etc/systemd/system/$script_name.timer"

Try execute script and check output and Nginx config

/opt/scripts/cloudflare-real-ip-update.sh
less /etc/nginx/includes.d/cloudflare-ip.conf

nginx -t
# or
openresty -t

Enable service

systemctl enable "$script_name.timer"
Raw
cloudflare-real-ip-update.service
[Unit]
Description=Renew source IP addresses from Cloudflare
Wants=cloudflare-real-ip-update.timer
Documentation=https://gist.github.com/WoozyMasta/602035f50156a812c20e259189da1422
[Service]
Type=oneshot
EnvironmentFile=-/etc/cloudflare-real-ip-update.env
ExecStart=/opt/scripts/cloudflare-real-ip-update.sh
[Install]
WantedBy=multi-user.target
Raw
cloudflare-real-ip-update.sh
#!/usr/bin/env bash
# Renew source IP addresses from Cloudflare
# https://gist.github.com/WoozyMasta/602035f50156a812c20e259189da1422
# Script for Nginx/Openresty to restore up-to-date
# source IP addresses of visitors from Cloudflare
#
# nginx.conf:
# include includes.d/cloudflare-ip.conf;
set -eu
: "${CLOUDFLARE_CONFIG_PATH:=/etc/nginx/includes.d/cloudflare-ip.conf}"
: "${CLOUDFLARE_URL:=https://www.cloudflare.com}"
: "${NGINX_BIN_PATH:=/usr/bin/openresty}"
_cfg="$CLOUDFLARE_CONFIG_PATH"
comment() { printf '# %s\n' "$1" >> "$_cfg"; }
param() { printf '%s\t%s;\n' "$1" "$2" >> "$_cfg"; }
# Get controll sum of exists config
[ -f "$_cfg" ] && mapfile -td ' ' sum < <(md5sum "$_cfg")
# Get IP lists before config changed
mapfile -t ip4 < <(curl -sSfL "$CLOUDFLARE_URL/ips-v4")
mapfile -t ip6 < <(curl -sSfL "$CLOUDFLARE_URL/ips-v6")
# Write config
: > "$_cfg"
comment 'Cloudflare Restoring original visitor IPs'
param real_ip_header CF-Connecting-IP
param real_ip_recursive on
echo >> "$_cfg"
comment 'IPv4'
for ip in "${ip4[@]}"; do param set_real_ip_from "$ip"; done
echo >> "$_cfg"
comment 'IPv4'
for ip in "${ip6[@]}"; do param set_real_ip_from "$ip"; done
# Get controll sum of updatet config
mapfile -td ' ' new_sum < <(md5sum "$_cfg")
# Reload Nginx if controll sum changed
if [ "${sum[0]}" != "${new_sum[0]}" ] && [ -x "$NGINX_BIN_PATH" ]; then
"$NGINX_BIN_PATH" -t
"$NGINX_BIN_PATH" -s reload
fi
Raw
cloudflare-real-ip-update.timer
[Unit]
Description=Renew source IP addresses from Cloudflare
[Timer]
Unit=cloudflare-real-ip-update.service
Persistent=true
OnCalendar=*-*-* 1:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment