set_real_ip_header for proxy OTHER than Cloudflare with Nginx?

gotdoge

• April 30, 2024 19:45
• Edited

Using ea-nginx. I have websites hosted behind Sucuri's CDN which would require the following to be configured (from https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/):

# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted Firewall IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 208.109.0.0/22;
set_real_ip_from 2a02:fe80::/29; 

Setting this in the Cloudflare include or a custom server-block file will result in a error such as the following:

nginx: [emerg] "real_ip_header" directive is duplicate in /etc/nginx/conf.d/includes-optional/cloudflare.conf:35
nginx: configuration file /etc/nginx/nginx.conf test failed

Adding it in /etc/nginx/nginx.conf's http block doesn't take effect. Is there any way to get this working while keeping Cloudflare's stuff in place?

• 

  cPRex Jurassic Moderator

  • May 01, 2024 03:42

  Hey there!  I confirmed that commenting out the offending line and then adding the rest works, and doesn't get overwritten with the nightly upcp.  Here is what the bottom of that file looks like on my test server after my changes, using the data you provided above:

  #real_ip_header CF-Connecting-IP;
  # Define header with original client IP
  real_ip_header X-Forwarded-For;
  # Define trusted Firewall IPs
  set_real_ip_from 192.88.134.0/23;
  set_real_ip_from 185.93.228.0/22;
  set_real_ip_from 66.248.200.0/22;
  set_real_ip_from 208.109.0.0/22;
  set_real_ip_from 2a02:fe80::/29;

  Can you try that on your end and see if that works?

  0
• 

  gotdoge

  • May 10, 2024 01:17
  • Edited

  Hi cPRex, that file gets re-generated when the ea-nginx package gets updated. Edited it as outlined and processed available updates which included ea-nginx and it's back to the stock version.

  Ideally, there would be some way to have it so the configuration isn't applied globally in my opinion - or could otherwise be configured on a per-user basis. For example, some hosted domains may use Cloudflare, others may use Sucuri, others may use CloudFront, and so on.

  0
• 

  cPRex Jurassic Moderator

  • May 10, 2024 14:37

  I spoke with some other people this morning and we aren't able to come up with a good workaround for this issue that would be stable and not get overwritten.  Could you submit a ticket so we can do some more in-depth research on this?

  0
• 

  cPRex Jurassic Moderator

  • January 10, 2025 19:43

  Update - our team has created case CPANEL-46343 to explore what options we have to make this possible in the product.  If I hear anything else on my end I'll be sure to post!

  0
• 

  cPRex Jurassic Moderator

  • February 22, 2025 03:46

  Update - the team has a fix, it's being tested right now, and we also have some updated documentation that will be coming with it as well.  At this rate we should have an option available within the next few weeks, depending on how the EasyApache releases go!

  0
• 

  Bihira

  • March 16, 2025 06:17

  I am also interested in this.

  Is there a place where I can follow to see when and which build it has been implemented in?

  0
• 

  cPRex Jurassic Moderator

  • March 17, 2025 14:05

  Update - we have released the documentation so the Cloudflare integration can be disabled - this change is now LIVE in the product:

  https://docs.cpanel.net/knowledge-base/nginx/customize-reverse-proxy-nginx-configurations/#manage-cloudflare-configuration

  0
• 

  Bihira

  • March 20, 2025 01:44

  Just to quote the original post:

  Is there any way to get this working while keeping Cloudflare's stuff in place?

  I want to also keep Cloudflare's integration in place for most sites on the server (so disabling it is non-viable) while allowing for additional or custom CDNs for one or two websites.

  0
• 

  cPRex Jurassic Moderator

  • March 20, 2025 14:30

  As of this time, it's an "all or nothing" setting, so I wouldn't have a way to have some sites use Cloudflare and some use something else.

  0
• 

  gotdoge

  • March 20, 2025 21:08

  Appreciate the release!
  
  Bihira best option would be disabling the Cloudflare portion, then creating a blanket include file for each domain (recommended) or account on the server per https://support.cpanel.net/hc/en-us/articles/360052143374-How-to-customize-a-site-s-NGINX-Server-Block that has the Cloudflare stuff. A little more work, but achieves the same thing. Could use cPanel hooks to automatically set it up when new domains are added or go a cron route to check every so often.
  
  cPRex one last feedback that came to mind: it may be worth exposing a page within cPanel that allows users to manage a domain's individual server block - similar to how Plesk offers an area for users to manage settings. Will submit a feature request for that.

  0

Please sign in to leave a comment.