set_real_ip_header for proxy OTHER than Cloudflare with Nginx?
Using ea-nginx. I have websites hosted behind Sucuri's CDN which would require the following to be configured (from https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/):
# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted Firewall IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 208.109.0.0/22;
set_real_ip_from 2a02:fe80::/29;
Setting this in the Cloudflare include or a custom server-block file will result in a error such as the following:
nginx: [emerg] "real_ip_header" directive is duplicate in /etc/nginx/conf.d/includes-optional/cloudflare.conf:35
nginx: configuration file /etc/nginx/nginx.conf test failed
Adding it in /etc/nginx/nginx.conf's http block doesn't take effect. Is there any way to get this working while keeping Cloudflare's stuff in place?
-
Hey there! I confirmed that commenting out the offending line and then adding the rest works, and doesn't get overwritten with the nightly upcp. Here is what the bottom of that file looks like on my test server after my changes, using the data you provided above:
#real_ip_header CF-Connecting-IP;
# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted Firewall IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 208.109.0.0/22;
set_real_ip_from 2a02:fe80::/29;Can you try that on your end and see if that works?
0 -
Hi cPRex, that file gets re-generated when the ea-nginx package gets updated. Edited it as outlined and processed available updates which included ea-nginx and it's back to the stock version.
Ideally, there would be some way to have it so the configuration isn't applied globally in my opinion - or could otherwise be configured on a per-user basis. For example, some hosted domains may use Cloudflare, others may use Sucuri, others may use CloudFront, and so on.
0 -
I spoke with some other people this morning and we aren't able to come up with a good workaround for this issue that would be stable and not get overwritten. Could you submit a ticket so we can do some more in-depth research on this?
0 -
Update - our team has created case CPANEL-46343 to explore what options we have to make this possible in the product. If I hear anything else on my end I'll be sure to post!
0
Please sign in to leave a comment.
Comments
4 comments