how to do config nginx allow's cloudflare ip's
If you want to further improve the security of the website, for example, to prevent the website from being collected more effectively,
You can try to connect the server only to the IP link from cloudflare
In fact, this method is very simple, but some people have written scripts abroad. . .
Use this script to configure nginx to only come from cloudflare's IP link
Edit Nginx.conf
file to load cloudflare.conf
file
include /etc/nginx/cloudflare.conf;
If loaded in the nginx.conf
server section, it means that all virtual hosts only allow IP links from cloudflare
If loaded in the nginx.conf
http section, it means that the domain name is only from the IP link of cloudflare
Edit the cloudflare.conf
file and add the following code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#Cloudflare ip addresses
# - IPv4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
# - IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
You can also replace set_real_ip_from
with allow
It is also possible to add deny all
at the end of the file
The above is the cdn IP address of cloudflare, you can find it from the following address
https://www.cloudflare.com/ips/
There is a problem here, assuming that cloudflare has added a new data center or updated ip, is it not very troublesome to need to update manually?
The foreigner also thought about this problem, so wrote the following script to automatically update the cloudflare CDN IP address
Download the script, and grant script execution permission, add crontab to automatically update
1
2
3
4
5
6
7
8
9
10
wget https://raw.githubusercontent.com/ergin/nginx-cloudflare-real-ip/master/cloudflare-sync-ips.sh
chmod +x cloudflare-sync-ips.sh
crontab -e
30 2 * * * /opt/scripts/cloudflare-sync-ips.sh> /dev/null 2>&1
service cron restart
Script author official code repository
https://github.com/ergin/nginx-cloudflare-real-ip?vpslala.com
💘 相关文章
- nginx安全设置之-限制IP来源只能为cloudflare
- nginx: [emerg] Solution to unknown directive "set_real_ip_from"
- Configure nginx to only allow cloudflare's IP to connect to the server shell script
- 使用301实现域名跳转到www包括https的3种方法
- 两种自动添加 ip 白名单到cloudflare的脚本
- 快速简单一键搭建nginx quic的环境
- 不会配置nginx?这个在线配置nginx的网站非常方便
- 重磅消息:著名的安全,cdn供应商Cloudflare推出了图床服务
- Cloudflare not caching solution
- ClashX demo config.yaml,收藏备用