-
-
Save mkg20001/1a4f0a5a3f55c194cc4998019edfa62a to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| set -e | |
| cf_ips() { | |
| echo "# https://www.cloudflare.com/ips" | |
| for type in v4 v6; do | |
| echo "# IP$type" | |
| curl -sL "https://www.cloudflare.com/ips-$type/" | sed "s|^|allow |g" | sed "s|\$|;|g" | |
| echo | |
| done | |
| echo "# Generated at $(LC_ALL=C date)" | |
| } | |
| cf_ips > allow-cloudflare.conf | |
| (cf_ips && echo "deny all; # deny all remaining ips") > allow-cloudflare-only.conf |
For some reason https://www.cloudflare.com/ips-$type could not be read, because of which this script generated a config file that blocked all traffic, effectively taking down my site. Is there anything we can do to prevent this?
iplist urls changed - slash added.
from https://www.cloudflare.com/ips-v4 to https://www.cloudflare.com/ips-v4/
thx, updated the script
Shouldn't there be a check that curl returns a 200 status before overwriting the conf file?
thanks @zhil - this probably saved a future me a good bit of troubleshooting
@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?
@poldim how did you resolve the issue with blocking the proxied (X-Forwarded-For) IPs vs real IPs?
On each server block, I check if the IP is coming from a known list of CF IPs and non CF IPs get 403s: if ($cloudflare_ip != 1) { return 403; }
Thank you @poldim. Sorry if this is a dumb question, but how do you populate $cloudflare_ip? would you be able to share a snippet?
Take a look at this: ergin/nginx-cloudflare-real-ip#3
I'm using
real_ip_header CF-Connecting-IPto configure my client IP as WAN IP of the external device making the request. But this will never match the allow list your script generates. Any idea how to check in which header CF is passing along it's IP request? I'd then need to set nginx to check that header against this allow list.