Skip to content

Instantly share code, notes, and snippets.

@laurentdebricon

laurentdebricon/raspiblitz-and-cloudflare.md

Last active March 18, 2022 14:31
Show Gist options
  • Save laurentdebricon/00c35e77eb55bce4f844d511708e7b73 to your computer and use it in GitHub Desktop.
Save laurentdebricon/00c35e77eb55bce4f844d511708e7b73 to your computer and use it in GitHub Desktop.
Download ZIP
Raspiblitz BTCpayserver on Clearnet with Cloudlare, without paying a VPN
Raw
raspiblitz-and-cloudflare.md

Inspired by openoms tips box : http://tips.diynodes.com

If you already have a domain name setup with Cloudflare.com, you can easily do that, for free, without paying a VPN.

Trusting the vpn provider VS trusting Cloudflare. If that's ok for you go on :)

(for the example my domain is spiritualcomputing.com, be sure to replace it with yours) :

Go to cloudflare, dns, add 2 A records to your domain

NAME tips your_isp_public_ip
NAME pay your_isp_public_ip

Be sure traffic is proxied (it is by default, so your ISP ip is always hidden)

On your ISP router, add a rule forward port 80 to port 23010 to the ip of the raspiblitz

On the raspiblitz 1.6.2

sudo vim /etc/nginx/sites-available/spiritualcomputing.conf

server {
    listen 23010;
    listen [::]:23010;
    server_name pay.spiritualcomputing.com;

    access_log /var/log/nginx/access_btcpay.log;
    error_log /var/log/nginx/error_btcpay.log;

    location / {
        proxy_pass https://127.0.0.1:23001; # check btcpayserver port on your raspiblitz with menu -> BTCPay Server Info

	#https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-cloudflare-
	set_real_ip_from 103.21.244.0/22;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 103.31.4.0/22;
	set_real_ip_from 104.16.0.0/12;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 131.0.72.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 162.158.0.0/15;
	set_real_ip_from 172.64.0.0/13;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 188.114.96.0/20;
	set_real_ip_from 190.93.240.0/20;
	set_real_ip_from 197.234.240.0/22;
	set_real_ip_from 198.41.128.0/17;
	set_real_ip_from 2400:cb00::/32;
	set_real_ip_from 2606:4700::/32;
	set_real_ip_from 2803:f800::/32;
	set_real_ip_from 2405:b500::/32;
	set_real_ip_from 2405:8100::/32;
	set_real_ip_from 2c0f:f248::/32;
	set_real_ip_from 2a06:98c0::/29;

	real_ip_header CF-Connecting-IP;


	proxy_set_header Host $http_host;
      # proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For websockets
        proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $http_connection;



      #  include /etc/nginx/snippets/ssl-proxy-params.conf;
    }
}

server {
    listen 23010;
    listen [::]:23010;
    server_name tips.spiritualcomputing.com;

    access_log /var/log/nginx/access_btcpay.log;
    error_log /var/log/nginx/error_btcpay.log;

    location / {
	rewrite ^ https://pay.spiritualcomputing.com/apps/3b7HeYNrS7ANGxCuimwBNYUmgbMK/pos redirect;
    }
}

# https://stackoverflow.com/questions/29104943/how-to-disable-direct-access-to-a-web-site-by-ip-address 
server {
	listen 23010 default_server;
	listen [::]:23010 default_server;
	server_name _;
	return 444;
}

sudo ln -s /etc/nginx/sites-available/spiritualcomputing.conf /etc/nginx/sites-enabled/

open the port 23010 in the firewall

sudo ufw allow 23010

sudo service nginx restart

If you have a dynamic IP, you can use this guide that will use Cloudflare API to update the records https://github.com/MrWhizzy/cloudflare-ddns-update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment