Set client real IP for nginx behind Cloudflare.

Since Cloudflare acts as a reverse proxy, all connections come from one of Cloudflare's IP addresses. Cloudflare includes the originating IP address in the CF-Connecting-IP header.

This script, enabled in the cron, allow automatically maintaining an up to date list of Cloudflare ip addresses and reloading nginx if these addresses changed after update.

First block of generated files, /etc/nginx/include/cloudflare.conf, /etc/nginx/include/cloudflare_ipv4.conf, /etc/nginx/include/cloudflare_ipv6.conf, contains settings for nginx realip module, allowing nginx to restore real client IP from the CF-Connecting-IP header.

Second block of generated files, /etc/nginx/include/from_cloudflare.conf, /etc/nginx/include/from_cloudflare_ipv4.conf, /etc/nginx/include/from_cloudflare_ipv6.conf, contains settings for nginx realip module, but only set_real_ip_from directives, allowing to manually configure real_ip_header directive to use X-Forwarded-For header from Cloudflare or True-Client-IP header from Cloudflare or CF-Connecting-IP header from Cloudflare, or any other future HTTP request headers, added by Cloudflare to proxied request from client.

Third block of generated files, /etc/nginx/include/not_cloudflare.conf, /etc/nginx/include/not_cloudflare_ipv4.conf, /etc/nginx/include/not_cloudflare_ipv6.conf, contains settings for nginx geo module, allow blocking all non-cloudflare IPs in server context, blocking direct access to site, if anyone will try to bypassing Cloudflare. Such blocking at nginx level may be required, if nftables-tool not used, and system nftables permits simultaneously both types of connections - for some sites - direct connections from clients, and for some sites - only proxied connections via IP addresses from Cloudflare networks. In this case - not_cloudflare.conf files can help to permit only requests from Cloudflare IPs for some sites with minimal overhead.

dnf -y remove python-unversioned-command ; \
dnf -y install python3.11 python3.11-pip ; \
ln -sf /usr/bin/python3.11 /usr/bin/python ; \
ln -sf /usr/bin/pip3.11 /usr/bin/pip ; \
pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
cd /opt ; git clone https://github.com/makhomed/nginx-cloudflare.git

pip install --no-input --upgrade-strategy eager --upgrade Jinja2 requests invoke ; \
cd /opt/nginx-cloudflare ; git pull

/opt/nginx-cloudflare/nginx-cloudflare

or

/opt/nginx-cloudflare/nginx-cloudflare 172.21.0.0/16 2001:DB8:11:22::/64 2001:DB8:99:77::/64

Configure cron job, for example, in file /etc/cron.d/nginx-cloudflare:

RANDOM_DELAY=360

0 0 * * * root /opt/nginx-cloudflare/nginx-cloudflare

or

RANDOM_DELAY=360

0 0 * * * root /opt/nginx-cloudflare/nginx-cloudflare 172.21.0.0/16 2001:DB8:1:2::/64 2001:DB8:8:9::/64

    include /etc/nginx/include/cloudflare.conf;

    geo $realip_remote_addr $not_cloudflare {
        include /etc/nginx/include/not_cloudflare.conf;
    }

    if ($not_cloudflare) { return 444; }