From 01f83ec708e6b97e7f11563d0b9bd59d627f9768 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Mon, 16 Jan 2023 10:42:58 -0600 Subject: [PATCH 1/4] Add 127.0.0.1 and format shell scripts --- README.md | 28 ++----------------- root/etc/cont-init.d/98-cloudflare-real-ip | 17 ++++++++--- .../run | 17 ++++++++--- 3 files changed, 29 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index cec2287..4a3c6de 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # cloudflare_real-ip - Docker mod for SWAG -This mod adds a startup script that gets the IPs from Cloudflare's edge servers, and formats them in a format Nginx can use with `set_real_ip_from`. +This mod adds a startup script that gets the IPs from Cloudflare's edge servers, and outputs them in a format Nginx can use with `set_real_ip_from`. It reads this [list for IPv4](https://www.cloudflare.com/ips-v4), and this [list for IPV6](https://www.cloudflare.com/ips-v6). @@ -22,31 +22,9 @@ include /config/nginx/cf_real-ip.conf; ~~I also recommend including your docker-network as a valid ip `set_real_ip_from 172.17.0.0/16;` in the snippet above.~~ -This mod now also *tries* to set the real ip from the interfaces in the container. - -## Cloudflare tunnels - -In case you use Cloudflare tunnels, real IP might be reported in containers as 127.0.0.1. -In this case, please add below to `http` section of `nginx.conf`. - -From: - - -```nginx -real_ip_header X-Forwarded-For; -real_ip_recursive on; -include /config/nginx/cf_real-ip.conf; -``` - -to: - -```nginx -real_ip_header X-Forwarded-For; -real_ip_recursive on; -include /config/nginx/cf_real-ip.conf; -set_real_ip_from 127.0.0.1; -``` +This mod now adds `127.0.0.1` and *tries* to add the real ip from the interfaces in the container. ## Versions +* **16.01.23:** - Add 127.0.0.1 and format shell scripts. * **21.01.21:** - Fix bug when mod runs before internet-access. diff --git a/root/etc/cont-init.d/98-cloudflare-real-ip b/root/etc/cont-init.d/98-cloudflare-real-ip index 03f0f2d..9dd64c1 100644 --- a/root/etc/cont-init.d/98-cloudflare-real-ip +++ b/root/etc/cont-init.d/98-cloudflare-real-ip @@ -1,9 +1,18 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -# shellcheck disable=SC2046 -printf "set_real_ip_from %b;\n" $(curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]') > /config/nginx/cf_real-ip.conf -printf "set_real_ip_from %b;\n" $(curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[]') >> /config/nginx/cf_real-ip.conf -printf "set_real_ip_from %b;\n" $(ip route | grep -v default | awk '{print $1}') >> /config/nginx/cf_real-ip.conf +echo "set_real_ip_from 127.0.0.1;" >/config/nginx/cf_real-ip.conf + +ip route | grep -v default | awk '{print $1}' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done + +curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done + +curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[]' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done chown abc:abc /config/nginx/cf_real-ip.conf diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run index 03f0f2d..9dd64c1 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run @@ -1,9 +1,18 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -# shellcheck disable=SC2046 -printf "set_real_ip_from %b;\n" $(curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]') > /config/nginx/cf_real-ip.conf -printf "set_real_ip_from %b;\n" $(curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[]') >> /config/nginx/cf_real-ip.conf -printf "set_real_ip_from %b;\n" $(ip route | grep -v default | awk '{print $1}') >> /config/nginx/cf_real-ip.conf +echo "set_real_ip_from 127.0.0.1;" >/config/nginx/cf_real-ip.conf + +ip route | grep -v default | awk '{print $1}' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done + +curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done + +curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[]' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done chown abc:abc /config/nginx/cf_real-ip.conf From 517ec0bcc5d24720348925776256c6f98b331ebb Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Mon, 16 Jan 2023 10:44:40 -0600 Subject: [PATCH 2/4] Add note about other containers --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4a3c6de..8156ca3 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ real_ip_recursive on; include /config/nginx/cf_real-ip.conf; ``` +You may also need to add this mod (and the above config changes) to every nginx based container being proxied by SWAG. + ~~I also recommend including your docker-network as a valid ip `set_real_ip_from 172.17.0.0/16;` in the snippet above.~~ This mod now adds `127.0.0.1` and *tries* to add the real ip from the interfaces in the container. From cbaeba4c7d986295cbf347393762e479694e117d Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Mon, 16 Jan 2023 12:30:42 -0600 Subject: [PATCH 3/4] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 8156ca3..0beb8df 100644 --- a/README.md +++ b/README.md @@ -22,8 +22,6 @@ include /config/nginx/cf_real-ip.conf; You may also need to add this mod (and the above config changes) to every nginx based container being proxied by SWAG. -~~I also recommend including your docker-network as a valid ip `set_real_ip_from 172.17.0.0/16;` in the snippet above.~~ - This mod now adds `127.0.0.1` and *tries* to add the real ip from the interfaces in the container. ## Versions From cb4d33c76e721b32e341b753c34c41b03c7bf567 Mon Sep 17 00:00:00 2001 From: Eric Nemchik Date: Tue, 17 Jan 2023 08:06:42 -0600 Subject: [PATCH 4/4] Don't add 127.0.0.1 Adjust readme --- README.md | 28 +++++++++++++++++-- root/etc/cont-init.d/98-cloudflare-real-ip | 10 +++---- .../run | 10 +++---- 3 files changed, 35 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 0beb8df..bbacc71 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,33 @@ real_ip_recursive on; include /config/nginx/cf_real-ip.conf; ``` -You may also need to add this mod (and the above config changes) to every nginx based container being proxied by SWAG. +This mod also *tries* to detect the real ip from the interfaces in the container. -This mod now adds `127.0.0.1` and *tries* to add the real ip from the interfaces in the container. +You may need to add this mod (and the above config changes) to every nginx based container being proxied by SWAG. + +## Cloudflare tunnels + +In case you use Cloudflare tunnels, real IP might be reported in containers as 127.0.0.1. +In this case, please add below to `http` section of `nginx.conf`. + +From: + +```nginx +real_ip_header X-Forwarded-For; +real_ip_recursive on; +include /config/nginx/cf_real-ip.conf; +``` + +to: + +```nginx +real_ip_header X-Forwarded-For; +real_ip_recursive on; +include /config/nginx/cf_real-ip.conf; +set_real_ip_from 127.0.0.1; +``` ## Versions -* **16.01.23:** - Add 127.0.0.1 and format shell scripts. +* **16.01.23:** - Format shell scripts. * **21.01.21:** - Fix bug when mod runs before internet-access. diff --git a/root/etc/cont-init.d/98-cloudflare-real-ip b/root/etc/cont-init.d/98-cloudflare-real-ip index 9dd64c1..4155fa6 100644 --- a/root/etc/cont-init.d/98-cloudflare-real-ip +++ b/root/etc/cont-init.d/98-cloudflare-real-ip @@ -1,11 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -echo "set_real_ip_from 127.0.0.1;" >/config/nginx/cf_real-ip.conf - -ip route | grep -v default | awk '{print $1}' | while IFS= read -r line; do - echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf -done +echo "" >/config/nginx/cf_real-ip.conf curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]' | while IFS= read -r line; do echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf @@ -15,4 +11,8 @@ curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[] echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf done +ip route | grep -v default | awk '{print $1}' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done + chown abc:abc /config/nginx/cf_real-ip.conf diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run index 9dd64c1..4155fa6 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-swag-cloudflare-real-ip-setup/run @@ -1,11 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -echo "set_real_ip_from 127.0.0.1;" >/config/nginx/cf_real-ip.conf - -ip route | grep -v default | awk '{print $1}' | while IFS= read -r line; do - echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf -done +echo "" >/config/nginx/cf_real-ip.conf curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]' | while IFS= read -r line; do echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf @@ -15,4 +11,8 @@ curl -s "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[] echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf done +ip route | grep -v default | awk '{print $1}' | while IFS= read -r line; do + echo "set_real_ip_from ${line};" >>/config/nginx/cf_real-ip.conf +done + chown abc:abc /config/nginx/cf_real-ip.conf