Welcome! Log In Create A New Profile

Advanced

Nginx Cloudflare

Posted by alekperov11 
Nginx Cloudflare
September 01, 2024 04:54AM
Hi!

fail2ban (nft list ruleset)
....
table inet f2b-table {
set addr-set-nginx {
type ipv4_addr
elements = { 35.171.80.195, 60.177.199.20,
66.249.73.128, 66.249.73.129,
66.249.73.130, 74.80.208.82,
81.21.85.103, 91.215.91.103,
91.233.62.4, 98.159.36.26,
101.71.241.246, 103.157.59.75,
119.155.187.211, 139.59.247.220,
162.158.18.134, 162.158.18.135,
162.158.19.45, 162.158.19.46,
165.22.108.189, 167.172.87.40,
172.68.224.178, 172.68.224.179,
172.68.224.202, 172.68.224.203,
172.69.182.250, 172.69.182.251,
172.69.212.144, 172.69.212.146,
172.69.212.147, 172.69.212.148,
172.69.212.150, 172.69.212.151,
172.70.51.147, 172.70.51.148,
172.70.51.175, 172.70.51.176,
183.128.172.222, 183.128.173.121,
201.238.0.230, 218.72.45.139 }
}

set addr6-set-nginx {
type ipv6_addr
elements = { 2601:245:c300:770:114b:eb98:7942:5667 }
}

chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
tcp dport { 80, 443, 8080 } ip saddr @addr-set-nginx reject with icmp port-unreachable
tcp dport { 80, 443, 8080 } ip6 saddr @addr6-set-nginx reject with icmpv6 port-unreachable
tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 8080 } ip saddr @addr-set-nginx reject with icmp port-unreachable
tcp dport { 25, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 8080 } ip saddr @addr-set-nginx reject with icmp port-unreachable
}

nginx.conf
....
log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $http_x_forwarded_for $remote_addr';

# Restoring real client ips behind CloudFlare proxy ips:
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
...

NGINX does not resolve all Cloudflare IP addresses.
Please help, how to.



Edited 1 time(s). Last edit at 09/01/2024 04:56AM by alekperov11.
Re: Nginx Cloudflare
September 02, 2024 03:01AM
I'll answer myself

log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $http_x_forwarded_for $remote_addr';

Change to

log_format cloudflare '$http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $http_cf_connecting_ip $remote_addr';
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 148
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready