Nginx
web
服务对于使用Cloudflare
的CDN
的网站,需要设置服务器只允许来自Cloudflare
的回源请求IP
连接网站,这种其实有利于网站防御,也可以一定程度上减少被扫描发现源IP
。在宝塔面板站点网站配置文件里面将来自Cloudflare
IP
放置在server{……}里如下图:
location / { allow 173.245.48.0/20; allow 103.21.244.0/22; allow 103.22.200.0/22; allow 103.31.4.0/22; allow 141.101.64.0/18; allow 108.162.192.0/18; allow 190.93.240.0/20; allow 188.114.96.0/20; allow 197.234.240.0/22; allow 198.41.128.0/17; allow 162.158.0.0/15; allow 104.16.0.0/12; allow 172.64.0.0/13; allow 131.0.72.0/22; deny all; }
IPv4:
173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 131.0.72.0/22
Also available as a IPv4 text list.
IPv6:
2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32
Also available as a IPv6 text list.
系统环境:Centos 7
+(宝塔)Nginx
+ php
+MySQL
Nginx 1.15.10版本不需要编辑,直接配置IP信息即可!
1.编译前备份Nginx
编译前先将已经安装的Nginx
文件进行备份,通过ps
命令查看Nginx
文件的路径;以下所有步骤都以自身nginx路径为准。
# ps -elf | grep nginx #查看Nginx路径 # cd /www/server/nginx/sbin/ #进入Nginx路径 # cp nginx nginx.bak #备份Nginx
2..查看当前nginx加载的模块,在编译加载仍需加载这些模块
# cd ~ # /www/server/nginx/sbin/nginx -V #查看编译前参数
查询Nginx
参数结果例如:
[root@localhost]# /www/server/nginx/sbin/nginx -V nginx version: nginx/1.12 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.1.1b 26 Feb 2019 TLS SNI support enabled configure arguments: --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx-sticky-module --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc
备注:将./configure
arguents
:之后的内容复制到记事本编译时需要用
3.进入Nginx源码路径配置参数
进入Nginx
源码目录,对Nginx
进行编译(宝塔面板安装的Nginx
源码位于/www/server/nginx/src
);
备注:编译内容为(./configure
上一步记事本中的备用内容 --with-http_realip_module
)
# cd /www/server/nginx/src # --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx-sticky-module --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_realip_module
4.执行编译Nginx
# make
5.拷贝编译好的Nginx文件
make
完成后将系统中原有的Nginx
用重新编译生成的Nginx
文件替换,替换后重启Nginx
使新编译Nginx
生效
# rm -rf /www/server/nginx/sbin/nginx #删除Nginx # cp objs/nginx /www/server/nginx/sbin/ #拷贝刚编译好的Nginx到Nginx目录 # service nginx restart #重启Nginx
编译好Nginx后重启我们接下来进行配置nginx.conf
文件的http{……}
段加入以下内容:
set_real_ip_from 199.27.128.0/21; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/12; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; real_ip_header CF-Connecting-IP;
然后来看看日志的变化,修改前全部是CDN
的IP
:
修改后都是真实访客IP
最后为了防止的CloudFlare
的IP
有所变动,写了个脚本做个定时计划任务就可以在CloudFlare
的IP
发生改变后能自动修改服务器上Nginx
配置文件:
#!/bin/bash ######################################################################### # File Name: sync_CF_ip.sh # Author: podipod.com # Email: [email protected] # Version: 1.2 # Licence: GNU General Public Licence # Created Time: April 15 2019 03:51:39 PM CST ######################################################################### nginxConfFile="/usr/local/nginx/conf/nginx.conf" for i in 4 6;do curl -s "https://www.cloudflare.com/ips-v$i" | while read line;do if ! grep "$line" $nginxConfFile &> /dev/null; then sed -i "/real_ip_header/i \\\tset_real_ip_from\t$line;" $nginxConfFile if service nginx configtest; then service nginx reload fi fi done done
以上是目前cloudflare
的全部回源IP
段,有更新的话,访问cloudflare
官网获取cloudflare IP源
本文由 podipod软库网 作者:DevOps 发表,转载请注明来源!