Added an optional Cloudflare mechanism for real visitor ip (#697)

* Update nginx.conf * Update nginx.conf * Update nginx.conf * Update nginx.conf * Update run.sh * Update run.sh * Update run.sh * Update run.sh * Update nginx.conf * Update run.sh * Update config.json * Update Dockerfile * Update run.sh * Update run.sh * Update run.sh * Update run.sh * Update config.json * Update CHANGELOG.md * Update run.sh * Update run.sh * Update config.json * Update run.sh * Update run.sh * Update config.json * Update config.json * Update CHANGELOG.md
2025-12-17 13:14:21 +01:00 · 2019-09-19 09:53:08 +02:00
parent 5d201fed0c
commit a9e4163670
5 changed files with 38 additions and 3 deletions
--- a/nginx_proxy/CHANGELOG.md
+++ b/nginx_proxy/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog

+## 2.4
+
+- Added Cloudflare mechanism for creating auto-generated ipv4/ipv6 list for real visitor ip
+
 ## 2.3

 - Fix issue with nginx warning for ssl directive
--- a/nginx_proxy/Dockerfile
+++ b/nginx_proxy/Dockerfile
@@ -2,7 +2,7 @@ ARG BUILD_FROM
 FROM $BUILD_FROM

 # Setup base
-RUN apk add --no-cache nginx openssl
+RUN apk add --no-cache nginx openssl curl

 # Copy data
 COPY data/run.sh /
--- a/nginx_proxy/config.json
+++ b/nginx_proxy/config.json
@@ -1,6 +1,6 @@
 {
  "name": "NGINX Home Assistant SSL proxy",
-  "version": "2.3",
+  "version": "2.4",
  "slug": "nginx_proxy",
  "description": "An SSL/TLS proxy",
  "url": "https://home-assistant.io/addons/nginx_proxy/",
@@ -17,6 +17,7 @@
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem",
    "hsts": "max-age=31536000; includeSubDomains",
+    "cloudflare": false,
    "customize": {
      "active": false,
      "default": "nginx_proxy_default*.conf",
@@ -28,6 +29,7 @@
    "certfile": "str",
    "keyfile": "str",
    "hsts": "str",
+    "cloudflare": "bool",
    "customize": {
      "active": "bool",
      "default": "str",
--- a/nginx_proxy/data/nginx.conf
+++ b/nginx_proxy/data/nginx.conf
@@ -14,6 +14,8 @@ http {
    
    server_names_hash_bucket_size 64;
 	
+    #include /data/cloudflare.conf;
+	
    server {
        server_name _;
        listen [::]:80 default_server ipv6only=off;
--- a/nginx_proxy/data/run.sh
+++ b/nginx_proxy/data/run.sh
@@ -7,11 +7,14 @@ DHPARAMS_PATH=/data/dhparams.pem
 SNAKEOIL_CERT=/data/ssl-cert-snakeoil.pem
 SNAKEOIL_KEY=/data/ssl-cert-snakeoil.key

+CLOUDFLARE_CONF=/data/cloudflare.conf
+
 DOMAIN=$(jq --raw-output ".domain" $CONFIG_PATH)
 KEYFILE=$(jq --raw-output ".keyfile" $CONFIG_PATH)
 CERTFILE=$(jq --raw-output ".certfile" $CONFIG_PATH)
 HSTS=$(jq --raw-output ".hsts // empty" $CONFIG_PATH)
 CUSTOMIZE_ACTIVE=$(jq --raw-output ".customize.active" $CONFIG_PATH)
+CLOUDFLARE=$(jq --raw-output ".cloudflare" $CONFIG_PATH)

 # Generate dhparams
 if [ ! -f "$DHPARAMS_PATH" ]; then
@@ -24,6 +27,30 @@ if [ ! -f "$SNAKEOIL_CERT" ]; then
    openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $SNAKEOIL_KEY -out $SNAKEOIL_CERT -subj '/CN=localhost'
 fi

+if [ "$CLOUDFLARE" == "true" ]; then
+    sed -i "s|#include /data/cloudflare.conf;|include /data/cloudflare.conf;|" /etc/nginx.conf
+    # Generate cloudflare.conf
+    if [ ! -f "$CLOUDFLARE_CONF" ]; then
+        echo "[INFO] Creating 'cloudflare.conf' for real visitor IP address..."
+        echo "# Cloudflare IP addresses" > $CLOUDFLARE_CONF;
+        echo "" >> $CLOUDFLARE_CONF;
+
+        echo "# - IPv4" >> $CLOUDFLARE_CONF;
+        for i in $(curl https://www.cloudflare.com/ips-v4); do
+            echo "set_real_ip_from ${i};" >> $CLOUDFLARE_CONF;
+        done
+        
+        echo "" >> $CLOUDFLARE_CONF;
+        echo "# - IPv6" >> $CLOUDFLARE_CONF;
+        for i in $(curl https://www.cloudflare.com/ips-v6); do
+            echo "set_real_ip_from ${i};" >> $CLOUDFLARE_CONF;
+        done
+        
+        echo "" >> $CLOUDFLARE_CONF;
+        echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_CONF;
+    fi
+fi
+
 # Prepare config file
 sed -i "s/%%FULLCHAIN%%/$CERTFILE/g" /etc/nginx.conf
 sed -i "s/%%PRIVKEY%%/$KEYFILE/g" /etc/nginx.conf