Skip to content
This repository has been archived by the owner on Nov 11, 2022. It is now read-only.

byronwolfman/real_ip_hydrator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

hydrate-ips.sh

hydrate-ips.sh

 
 

Repository files navigation

Hydrate nginx real_ip values

What is this?

I'm prepping a new webhost to be served behind Cloudflare. Cloudflare advises that you will need to implement the real_ip module if you use nginx and want to know where your traffic is really coming from. The method to do so is described here:

https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-

Below the list of Cloudflare IP addresses is the following caveat:

NB: That list of prefixes needs to be updated regularly

It's unclear what the frequency of "regularly" is, but clearly we need to monitor this list for updates. If we need to monitor this list for updates, then we may as well assign that task to a robot. If the robot is monitoring the list, then it may as well be responsible for updating the nginx configuration too. Here's a script to do just that.

(Alternative, I have also made this available as a facter fact over here).

How it works

Hopefully the script is easy to parse, but just in case it isn't, here is what it does:

  1. Downloads a list of return-delimited IPv4 and IPv6 addresses from Cloudflare
  2. Cleans /etc/nginx/real_ip.conf
  3. Validates each IP address and writes valid ones into /etc/nginx/real_ip.conf
  4. Reloads nginx via /bin/systemctl

How to use it

Every setup is a little different, so this will not necessarily be a "drop-in" addition. It's simple and short enough to modify to your needs. As a set of general guidelines though:

  1. Install the script somewhere convenient like /usr/local/bin/
  2. Run the script and validate that /etc/nginx/real_ip.conf looks sane
  3. Setup a cron to run the script daily
  4. Add include /etc/nginx/real_ip.conf to your nginx config(s)

Danger

This script makes certain assumptions which may cause you grief:

  • The script cleans /etc/nginx/real_ip.conf before validating IP addresses
    • Ideally the script should abort if no IPv4 or IPv6 addresses are found
  • The script assumes a return-delimited list
  • The script assumes you are using Cloudflare
  • The script assumes you are using systemd
  • The script assumes it will be run under a user that has permission to reload nginx
  • The script will not attempt to validate your nginx configuration before reloading
    • This might get fixed or at least hardened

Use/modify/deploy at your own risk.

Contributing

Feel free to fork and make pull requests.

About

Turn a list of IP addresses into real_ip configs for nginx

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages