New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloudflare real visitor IP support in Nginx config #198
Comments
Here's an overview of the problem from Cloudflare: ...and their Nginx config example:
The docs are messy but it also contains this note, possibly for Apache:
They also warn: That list of prefixes needs to be updated regularly, and we publish the full list in Cloudflare IP addresses. |
And here's the sort of de facto semi-official Nginx config that I've seen shared: |
is indeed for Apache. There are no other modifications needed to be done in vanilla NGINX that's prepackaged by most distros except adding the real_ip_header and set_real_ip. NGINX's logs will use the actual client IP when that's used. I really wish for this to be pushed forward, as many features rely on PHP's |
Without testing this entirely, I think we can simply swap out:
For this:
....in the nginx.conf and it should be fine... it would be up to each sysadmin to ensure those work (for now). |
We've copied over The following line is now added to
|
We force deleted the old In the future we should validate the |
Hey @jessuppi I'd like to enable a custom featurepolicy for my nginx config, but have no idea how that config should look like 😅 I know i need this header to look like:
I've edited on the nginx.conf file for now, but I'm looking at a more long-term solution, so the |
@vivianedias Okay we will add that shortly after testing, please open a different Issue if any further feedback -- |
If anyone wants to contribute toward example https://github.com/littlebizzy/slickstack/blob/master/modules/nginx/includes/cloudflare-conf.txt |
I say automatically generate contents via a script that fetches Cloudflare's IPv6 and IPv4 list. |
You're right @NathanAdhitya ... coming soon: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-nginx-cloudflare-ips.txt |
An interesting Issue on @ergin repo shows how to pass real IPs while blocking non-Cloudflare, which is quite interesting and worth exploring later: |
My pragmatic way is to literally block non-cloudflare IPs to port 443 with ufw/iptables. In short, implicit deny, allow from cloudflare IPs. |
Okay this is now supported as of build version You can also run Next, we will add this task to the cron jobs interval... |
Done!
Also a point of clarification, that Future comments welcome, for now this is complete. |
Some users have mentioned that SlickStack doesn't support the "real IPs" feature from Cloudflare, which will send the visitor's real IP address to the origin server for diagnostics, or for determining proper country, etc.
Personally I have several WooCommerce clients using country detection plugins who I think never had any problem with SlickStack's default config, I guess because these plugins use third party tracking javascript and such (based on my memory only) so they don't require Nginx to get involved.
But some users are saying they still would like to be able to see real IPs for security/logging reasons.
I'm not sure the privacy/GDPR/etc concerns with this stuff, but it's still probably a feature we should get working properly, but perhaps keep it disabled by default?
The text was updated successfully, but these errors were encountered: