Learn about Centmin Mod LEMP Stack today
Register Now

Cloudflare cloudflare.conf and Cloudflare Argo Tunnel

Discussion in 'Domains, DNS, Email & SSL Certificates' started by GamerJota, Apr 12, 2018.

  1. GamerJota

    GamerJota Member

    51
    7
    8
    Mar 1, 2016
    Chile
    Ratings:
    +18
    Local Time:
    12:36 AM
    Hello guys,

    I'm using Cloudflare Argo Tunnel in one of my sites running with centminmod, my REMOTE_ADDR header is now always set to my localhost IP ( ::1 in this case) rendering some services that requires this to be correct unavailable.

    Do you think it would be a good idea to put
    Code:
    set_real_ip_from ::1/128;
    at
    Code:
    /usr/local/nginx/conf/cloudflare_customips.conf;
    ?

    It works fine, but I don't know if this can bring some security issues.

    Cheers.
     
    Last edited: Apr 12, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    33,688
    7,459
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,470
    Local Time:
    1:36 PM
    Nginx 1.13.x
    MariaDB 5.5
    So you already setup tools/csfcsf.sh cronrjob too for tools/csfcf.sh script ?
    I believe only @BamaStangGuy and @RoldanLT have tried Cloudflare Argo so they may have more insight.

    Where is the REMOTE_ADDR header being reported as such ?
     
  3. GamerJota

    GamerJota Member

    51
    7
    8
    Mar 1, 2016
    Chile
    Ratings:
    +18
    Local Time:
    12:36 AM
    Already set the cronjobs, and yes, cloudflare_customips.conf is called at cloudflare.conf.

    REMOTE_ADDR was being reported as ::1 by browsing a php in the site that shows the headers.

    Code:
    <pre><?php
    print_r($_SERVER);
    ?></pre>
    
    After adding
    Code:
    set_real_ip_from ::1/128;
    to
    Code:
    cloudflare_customips.conf
    it now shows it correctly.

    But again, I don't know if this can bring any security issue.
     
  4. eva2000

    eva2000 Administrator Staff Member

    33,688
    7,459
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,470
    Local Time:
    1:36 PM
    Nginx 1.13.x
    MariaDB 5.5
    what's contents of current /usr/local/nginx/conf/cloudflare.conf ?
    Code (Text):
    cat /usr/local/nginx/conf/cloudflare.conf
    

    would be something like
    Code (Text):
    include /usr/local/nginx/conf/cloudflare_customips.conf;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;
    real_ip_header CF-Connecting-IP;
    

    then manually run the cronjob script
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto
    

    and see what the updated contents of /usr/local/nginx/conf/cloudflare.conf would be

    Also has Cloudflare tech support chimed in on whether set_real_ip_from ::1/128; is needed ? I'd ask them to be 100% sure.
     
  5. GamerJota

    GamerJota Member

    51
    7
    8
    Mar 1, 2016
    Chile
    Ratings:
    +18
    Local Time:
    12:36 AM
    It is exactly the values you said it was, and I believe I had to tell you before, I supposed you knew about it, but Argo Tunnel uses it's own application (another reverse proxy?) to make the tunnel to Cloudflare network. So I believe nginx sees the REMOTE_ADDR as a local address because first it passes through this application called "cloudflared" and then it goes to nginx.

    How Argo Tunnel Works - Argo Tunnel
     
  6. eva2000

    eva2000 Administrator Staff Member

    33,688
    7,459
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,470
    Local Time:
    1:36 PM
    Nginx 1.13.x
    MariaDB 5.5
    If that is the case i'd contact Cloudflare tech support to confirm if using set_real_ip_from ::1/128; is the correct solution for use with Nginx origins.
     
  7. GamerJota

    GamerJota Member

    51
    7
    8
    Mar 1, 2016
    Chile
    Ratings:
    +18
    Local Time:
    12:36 AM
    I contacted Cloudflare with the following message:

    They replied with:

    So I guess it should be fine.
     
    • Like Like x 2
  8. eva2000

    eva2000 Administrator Staff Member

    33,688
    7,459
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,470
    Local Time:
    1:36 PM
    Nginx 1.13.x
    MariaDB 5.5
    Excellent - rest easy with Cloudflare tech support confirmation :)
     
  9. BamaStangGuy

    BamaStangGuy Active Member

    509
    147
    43
    May 25, 2014
    Ratings:
    +195
    Local Time:
    10:36 PM
    I will be setting up a tunnel for all our sites soon. Good to know.
     
..