Nginx: Difference between revisions
imported>Makefu m spacing |
imported>Georgyo No edit summary |
||
| Line 264: | Line 264: | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==== Using realIP when behind CloudFlare or other CDN ==== | |||
When Nginx is behind another proxy it won't know the true IP address of clients hitting it. It will then pass down those the proxy's IP address instead of the client IP address. By using the nginx realip module, we can ensure nginx knows the real client IP, and we can further inform nginx to only trust the HTTP header from valid upstream proxies. | |||
In the following example, we are fetching the list of IPs directly from cloudflare and including a hash. This has some pros and cons. Nix will not attempt to download or update that file while it is in a nix store it trusts, but after a nix garbage collection, it will error if the list of proxies has changed informing you of that when you apply the config. | |||
<syntaxhighlight lang="nix"> | |||
services.nginx.commonHttpConfig = | |||
let | |||
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); | |||
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); | |||
cfipv4 = fileToList (pkgs.fetchurl { | |||
url = "https://www.cloudflare.com/ips-v4"; | |||
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; | |||
}); | |||
cfipv6 = fileToList (pkgs.fetchurl { | |||
url = "https://www.cloudflare.com/ips-v6"; | |||
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; | |||
}); | |||
in | |||
'' | |||
${realIpsFromList cfipv4} | |||
${realIpsFromList cfipv6} | |||
real_ip_header CF-Connecting-IP; | |||
''; | |||
</syntaxhighlight> | |||
<hr /> | <hr /> | ||