Allowing Cloudflare IP addresses only in Nginx

Allowing Cloudflare IP addresses only in Nginx

allow traffic from Cloudflare in Nginx

If your HTTP server is running behind Cloudflare, it is recommended to only allow traffic from Cloudflare IP addresses. We can config this systematically using iptables, as demonstrated in Allowing Cloudflare IP addresses. However, if you have some other service not in front of Cloudflare, it’s also flexible to white list Cloudflare IPs just inside the Nginx service.

To do this, create a /etc/nginx/allow-cloudflare-only.conf configuration file that allows all of Cloudflare IPs:

# https://www.cloudflare.com/ips
# IPv4
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/12;
allow 172.64.0.0/13;
allow 131.0.72.0/22;

# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

deny all; # deny all remaining ips

This configuration file can be generated by this script:

Note that Cloudflare will update its IP addresses, you’d better run this script regularly.

Then, you can include this configuration file in each server block or globally in Nginx. For example, in sites-available/example.com.conf:

server {
  listen 80;
  listen [::]:80;

  include /etc/nginx/allow-cloudflare-only.conf;

  server_name example.com;

  #...the rest of your config here...
}

In this fashion, access the origin from IP addresses other than Cloudflare IPs will give a 403 Forbidden.

More info on ngx_http_access_module which provides the allow/deny to certain client addresses: http://nginx.org/en/docs/http/ngx_http_access_module.html.

Ads by Google

林宏

Frank Lin

Hey, there! This is Frank Lin (@flinhong), one of the 1.4 billion 🇨🇳. This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.

YOU MAY ALSO LIKE

Setup an IKEv2 server with StrongSwan

Tutorials

2020.01.09

Setup an IKEv2 server with StrongSwan

IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunneling between two points. In IKEv2 implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary, and it handles client hiccups quite smoothly.

Understanding Nginx location directive

Tools

2020.09.12

Understanding Nginx location directive

Nginx location directives are essential when working with Nginx. They can be located within server blocks or other location blocks. Understanding how location directives are used to process the URI of client request can help make the request handling seem less unpredictable.

Buy Me A Coffee