admin avatar

how to do config nginx allow's cloudflare ip's

🕜 by admin

If you want to further improve the security of the website, for example, to prevent the website from being collected more effectively,

You can try to connect the server only to the IP link from cloudflare

In fact, this method is very simple, but some people have written scripts abroad. . .

Use this script to configure nginx to only come from cloudflare's IP link

Edit Nginx.conf file to load cloudflare.conf file

include /etc/nginx/cloudflare.conf;

If loaded in the nginx.conf server section, it means that all virtual hosts only allow IP links from cloudflare

If loaded in the nginx.conf http section, it means that the domain name is only from the IP link of cloudflare

Edit the cloudflare.conf file and add the following code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#Cloudflare ip addresses

# - IPv4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

# - IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

You can also replace set_real_ip_from with allow

It is also possible to add deny all at the end of the file

The above is the cdn IP address of cloudflare, you can find it from the following address

https://www.cloudflare.com/ips/

There is a problem here, assuming that cloudflare has added a new data center or updated ip, is it not very troublesome to need to update manually?

The foreigner also thought about this problem, so wrote the following script to automatically update the cloudflare CDN IP address

Download the script, and grant script execution permission, add crontab to automatically update

1
2
3
4
5
6
7
8
9
10
wget https://raw.githubusercontent.com/ergin/nginx-cloudflare-real-ip/master/cloudflare-sync-ips.sh

chmod  +x cloudflare-sync-ips.sh

crontab -e

30 2 * * * /opt/scripts/cloudflare-sync-ips.sh> /dev/null  2>&1

service cron restart
Get it. . . The path of the main related files should be unified. . .

Script author official code repository

https://github.com/ergin/nginx-cloudflare-real-ip?vpslala.com

💘 相关文章

写一条评论