Allowing Cloudflare IP addresses only in Nginx

Allowing Cloudflare IP addresses only in Nginx

allow traffic from Cloudflare in Nginx

If your HTTP server is running behind Cloudflare, it is recommended to only allow traffic from Cloudflare IP addresses. We can config this systematically using iptables, as demonstrated in Allowing Cloudflare IP addresses. However, if you have some other service not in front of Cloudflare, it’s also flexible to white list Cloudflare IPs just inside the Nginx service.

To do this, create a /etc/nginx/allow-cloudflare-only.conf configuration file that allows all of Cloudflare IPs:

# https://www.cloudflare.com/ips
# IPv4
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/12;
allow 172.64.0.0/13;
allow 131.0.72.0/22;

# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

deny all; # deny all remaining ips

This configuration file can be generated by this script:

Note that Cloudflare will update its IP addresses, you’d better run this script regularly or use the cron job to help you.

Then, you can include this configuration file in each server block or globally in Nginx. For example, in sites-available/example.com.conf:

server {
  listen 80;
  listen [::]:80;

  include /etc/nginx/allow-cloudflare-only.conf;

  server_name example.com;

  #...the rest of your config here...
}

In this fashion, access the origin from IP addresses other than Cloudflare IPs will give a 403 Forbidden response.

More info on ngx_http_access_module which provides the allow/deny to certain client addresses: http://nginx.org/en/docs/http/ngx_http_access_module.html.

Ads by Google

林宏

Frank Lin

Hey, there! This is Frank Lin (@flinhong), one of the 1.4 billion 🇨🇳. This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.

YOU MAY ALSO LIKE

Reveal real IP for Nginx behind a reverse proxy

Tools

2020.12.25

Reveal real IP for Nginx behind a reverse proxy

I'm currently using LogDNA for tracking Nginx logs. Meanwhile, my Nginx server is behind Cloudflare proxy, I can only see IPs of Cloudflare by default in LogDNA. Let's see how to reveal user's real IP address in the logs behind such reverse proxy server by using ngx_http_realip_module.

Setup an IKEv2 server with StrongSwan

Tutorials

2020.01.09

Setup an IKEv2 server with StrongSwan

IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunneling between two points. In IKEv2 implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary, and it handles client hiccups quite smoothly.