When operating a web server, the reliability and performance of your server configuration can be heavily impacted by how well it handles traffic. One key aspect of this is managing IP addresses, particularly when dealing with reverse proxies like Cloudflare. Although Cloudflare’s IP addresses are not expected to change frequently, it remains crucial to stay synchronised with their most current IP ranges. This is where the cloudflare-nginx-snippets project steps in to automate the process.
The Importance of Keeping Cloudflare’s IPs Updated
Cloudflare acts as an intermediary between users and your web server, masking the users’ true IP addresses. To ensure that only traffic from Cloudflare gets through, and that Nginx correctly logs the real visitors’ IP addresses, it’s vital to have the latest list of Cloudflare IPs in your server configuration.
Project Overview
The cloudflare-nginx-snippets project provides two essential scripts:
1. update-cf-ips.sh
- Purpose: Updates Nginx configuration to restrict access to the server block, allowing requests only from Cloudflare’s IP ranges.
- How It Works: Fetches the updated list of IPs from Cloudflare’s API and updates an Nginx configuration file with
allow
directives for these IPs, followed bydeny all;
for any other IPs. It then tests and reloads the Nginx configuration.
1 2 3 4 5 6 7 |
# Snippet of critical operations IPS_V4=$(curl -s https://www.cloudflare.com/ips-v4) IPS_V6=$(curl -s https://www.cloudflare.com/ips-v6) echo "" > $CONFIG_FILE echo "allow $ip;" # for each IP in IPS_V4 and IPS_V6 echo "deny all;" nginx -t && systemctl reload nginx |
2. update-cf-real-ip.sh
- Purpose: Updates Nginx configuration to correctly map Cloudflare’s
CF-Connecting-IP
header to the visitor’s true IP address in the http block. - How It Works: Similarly fetches Cloudflare’s current IP ranges and updates another configuration file to utilise
set_real_ip_from
directives. It also configuresreal_ip_header CF-Connecting-IP
. This ensures your logs and any IP-based rules reflect the true client IPs.
1 2 3 4 5 6 7 |
# Snippet of critical operations IPS_V4=$(curl -s https://www.cloudflare.com/ips-v4) IPS_V6=$(curl -s https://www.cloudflare.com/ips-v6) echo "" > $CONFIG_FILE echo "set_real_ip_from $ip;" # for each IP in IPS_V4 and IPS_V6 echo "real_ip_header CF-Connecting-IP;" nginx -t && systemctl reload nginx |
Automating the Updates
To maintain up-to-date configurations without manual intervention, you can set up cron jobs to run these scripts at regular intervals:
1 2 3 4 |
# Assuming you clone this project in the /root directory 0 0 * * * /root/cloudflare-nginx-snippets/update-cf-ips.sh 2>&1 0 1 * * * /root/cloudflare-nginx-snippets/update-cf-real-ip.sh 2>&1 |
With these cron jobs, the IP address lists are updated daily, ensuring your Nginx configurations are always using the current Cloudflare IP ranges.
By effortlessly automating the synchronisation of Cloudflare’s IP addresses, cloudflare-nginx-snippets ensures your Nginx server is reliable, secure, and correctly configured. This project handles the mundane but essential task of keeping your IP lists current so you can focus on more critical aspects of your server management.