Added an optional Cloudflare mechanism for real visitor ip (#697)

* Update nginx.conf

* Update nginx.conf

* Update nginx.conf

* Update nginx.conf

* Update run.sh

* Update run.sh

* Update run.sh

* Update run.sh

* Update nginx.conf

* Update run.sh

* Update config.json

* Update Dockerfile

* Update run.sh

* Update run.sh

* Update run.sh

* Update run.sh

* Update config.json

* Update CHANGELOG.md

* Update run.sh

* Update run.sh

* Update config.json

* Update run.sh

* Update run.sh

* Update config.json

* Update config.json

* Update CHANGELOG.md

nginx_proxy/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.4
+
+- Added Cloudflare mechanism for creating auto-generated ipv4/ipv6 list for real visitor ip
+
 ## 2.3
 
 - Fix issue with nginx warning for ssl directive

nginx_proxy/Dockerfile

@@ -2,7 +2,7 @@ ARG BUILD_FROM
 FROM $BUILD_FROM
 
 # Setup base
-RUN apk add --no-cache nginx openssl
+RUN apk add --no-cache nginx openssl curl
 
 # Copy data
 COPY data/run.sh /

nginx_proxy/config.json

@@ -1,6 +1,6 @@
 {
   "name": "NGINX Home Assistant SSL proxy",
-  "version": "2.3",
+  "version": "2.4",
   "slug": "nginx_proxy",
   "description": "An SSL/TLS proxy",
   "url": "https://home-assistant.io/addons/nginx_proxy/",
@@ -17,6 +17,7 @@
     "certfile": "fullchain.pem",
     "keyfile": "privkey.pem",
     "hsts": "max-age=31536000; includeSubDomains",
+    "cloudflare": false,
     "customize": {
       "active": false,
       "default": "nginx_proxy_default*.conf",
@@ -28,6 +29,7 @@
     "certfile": "str",
     "keyfile": "str",
     "hsts": "str",
+    "cloudflare": "bool",
     "customize": {
       "active": "bool",
       "default": "str",

nginx_proxy/data/nginx.conf

@@ -13,7 +13,9 @@ http {
     }
     
     server_names_hash_bucket_size 64;
-
+	
+    #include /data/cloudflare.conf;
+	
     server {
         server_name _;
         listen [::]:80 default_server ipv6only=off;

nginx_proxy/data/run.sh

@@ -7,11 +7,14 @@ DHPARAMS_PATH=/data/dhparams.pem
 SNAKEOIL_CERT=/data/ssl-cert-snakeoil.pem
 SNAKEOIL_KEY=/data/ssl-cert-snakeoil.key
 
+CLOUDFLARE_CONF=/data/cloudflare.conf
+
 DOMAIN=$(jq --raw-output ".domain" $CONFIG_PATH)
 KEYFILE=$(jq --raw-output ".keyfile" $CONFIG_PATH)
 CERTFILE=$(jq --raw-output ".certfile" $CONFIG_PATH)
 HSTS=$(jq --raw-output ".hsts // empty" $CONFIG_PATH)
 CUSTOMIZE_ACTIVE=$(jq --raw-output ".customize.active" $CONFIG_PATH)
+CLOUDFLARE=$(jq --raw-output ".cloudflare" $CONFIG_PATH)
 
 # Generate dhparams
 if [ ! -f "$DHPARAMS_PATH" ]; then
@@ -24,6 +27,30 @@ if [ ! -f "$SNAKEOIL_CERT" ]; then
     openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $SNAKEOIL_KEY -out $SNAKEOIL_CERT -subj '/CN=localhost'
 fi
 
+if [ "$CLOUDFLARE" == "true" ]; then
+    sed -i "s|#include /data/cloudflare.conf;|include /data/cloudflare.conf;|" /etc/nginx.conf
+    # Generate cloudflare.conf
+    if [ ! -f "$CLOUDFLARE_CONF" ]; then
+        echo "[INFO] Creating 'cloudflare.conf' for real visitor IP address..."
+        echo "# Cloudflare IP addresses" > $CLOUDFLARE_CONF;
+        echo "" >> $CLOUDFLARE_CONF;
+
+        echo "# - IPv4" >> $CLOUDFLARE_CONF;
+        for i in $(curl https://www.cloudflare.com/ips-v4); do
+            echo "set_real_ip_from ${i};" >> $CLOUDFLARE_CONF;
+        done
+        
+        echo "" >> $CLOUDFLARE_CONF;
+        echo "# - IPv6" >> $CLOUDFLARE_CONF;
+        for i in $(curl https://www.cloudflare.com/ips-v6); do
+            echo "set_real_ip_from ${i};" >> $CLOUDFLARE_CONF;
+        done
+        
+        echo "" >> $CLOUDFLARE_CONF;
+        echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_CONF;
+    fi
+fi
+
 # Prepare config file
 sed -i "s/%%FULLCHAIN%%/$CERTFILE/g" /etc/nginx.conf
 sed -i "s/%%PRIVKEY%%/$KEYFILE/g" /etc/nginx.conf