Created
October 13, 2023 15:59
-
-
Save chrisjp/918586663b629e9cc4b4c5f6de6fed78 to your computer and use it in GitHub Desktop.
A shell script to restore original visitor IPs to Apache/Nginx web servers behind Cloudflare's reverse proxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Restore original visitor IPs to your logs | |
| # https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/ | |
| # Conf file locations | |
| CLOUDFLARE_NGINX="/etc/nginx/conf.d/real_ip.conf" | |
| CLOUDFLARE_APACHE="/etc/apache2/conf-available/remoteip.conf" | |
| # Download IP lists (txt files) | |
| IPV4=`curl -s -L https://www.cloudflare.com/ips-v4` | |
| IPV6=`curl -s -L https://www.cloudflare.com/ips-v6` | |
| # Web server detection | |
| # Apache | |
| if command -v apachectl &> /dev/null | |
| then | |
| echo "Apache found. Note that Apache requires mod_remoteip to be configured first." | |
| echo "Please see https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#mod_remoteip for more details." | |
| echo "This script *only* takes care of steps 4 to 7 for you." | |
| read -p "Please only continue if you have already performed steps 1 to 3 (y/N): " we_can_continue | |
| if [[ $we_can_continue == [Yy] ]]; | |
| then | |
| echo "Writing IPs to ${CLOUDFLARE_APACHE} ... " | |
| echo "# Cloudflare original visitor IPs" > $CLOUDFLARE_APACHE; | |
| echo "" >> $CLOUDFLARE_APACHE; | |
| echo "RemoteIPHeader CF-Connecting-IP" >> $CLOUDFLARE_APACHE; | |
| echo "" >> $CLOUDFLARE_APACHE; | |
| echo "# IPv4" >> $CLOUDFLARE_APACHE; | |
| for ip in $IPV4; do | |
| echo "RemoteIPTrustedProxy $ip" >> $CLOUDFLARE_APACHE; | |
| done | |
| echo "" >> $CLOUDFLARE_APACHE; | |
| echo "# IPv6" >> $CLOUDFLARE_APACHE; | |
| for ip in $IPV6; do | |
| echo "RemoteIPTrustedProxy $ip" >> $CLOUDFLARE_APACHE; | |
| done | |
| echo "Done." | |
| # Enable config | |
| echo "Enabling remoteip module." | |
| a2enconf remoteip | |
| # Test and restart | |
| echo "Testing config and restarting Apache." | |
| apache2ctl -t | |
| systemctl reload apache2 | |
| echo "Completed." | |
| else | |
| echo "Apache2 configuration canceled." | |
| fi | |
| else | |
| echo "Apache2 not found." | |
| fi | |
| # Nginx | |
| if command -v nginx &> /dev/null | |
| then | |
| echo "Nginx found. Writing IPs to ${CLOUDFLARE_NGINX} ... " | |
| echo "# Cloudflare original visitor IPs" > $CLOUDFLARE_NGINX; | |
| echo "" >> $CLOUDFLARE_NGINX; | |
| echo "# IPv4" >> $CLOUDFLARE_NGINX; | |
| for ip in $IPV4; do | |
| echo "set_real_ip_from $ip;" >> $CLOUDFLARE_NGINX; | |
| done | |
| echo "" >> $CLOUDFLARE_NGINX; | |
| echo "# IPv6" >> $CLOUDFLARE_NGINX; | |
| for ip in $IPV6; do | |
| echo "set_real_ip_from $ip;" >> $CLOUDFLARE_NGINX; | |
| done | |
| echo "" >> $CLOUDFLARE_NGINX; | |
| echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_NGINX; | |
| echo "Done." | |
| # Test and reload | |
| echo "Testing config and reloading Nginx." | |
| nginx -t | |
| systemctl reload nginx | |
| echo "Completed." | |
| else | |
| echo "Nginx not found." | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Assumes default install locations of Apache and Nginx on Ubuntu (tested on 18, 20, and 22). You'll need to edit this script if yours are different.
Usage: