/ Register

Want more timely Centmin Mod News Updates?
Become a Member

Cloudflare cloudflare.conf and Cloudflare Argo Tunnel

Discussion in 'Domains, DNS, Email & SSL Certificates' started by GamerJota, Apr 12, 2018.

Tags:
Previous Thread Next Thread
Loading...
  1. Apr 12, 2018 #1
    GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:11 AM
    Hello guys,

    I'm using Cloudflare Argo Tunnel in one of my sites running with centminmod, my REMOTE_ADDR header is now always set to my localhost IP ( ::1 in this case) rendering some services that requires this to be correct unavailable.

    Do you think it would be a good idea to put
    Code:
    set_real_ip_from ::1/128;
    at
    Code:
    /usr/local/nginx/conf/cloudflare_customips.conf;
    ?

    It works fine, but I don't know if this can bring some security issues.

    Cheers.
     
    Last edited: Apr 12, 2018
  2. Apr 12, 2018 #2
    eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    So you already setup tools/csfcsf.sh cronrjob too for tools/csfcf.sh script ?
    I believe only @BamaStangGuy and @RoldanLT have tried Cloudflare Argo so they may have more insight.

    Where is the REMOTE_ADDR header being reported as such ?
     
  3. Apr 12, 2018 #3
    GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:11 AM
    Already set the cronjobs, and yes, cloudflare_customips.conf is called at cloudflare.conf.

    REMOTE_ADDR was being reported as ::1 by browsing a php in the site that shows the headers.

    Code:
    <pre><?php
print_r($_SERVER);
?></pre>
    After adding
    Code:
    set_real_ip_from ::1/128;
    to
    Code:
    cloudflare_customips.conf
    it now shows it correctly.

    But again, I don't know if this can bring any security issue.
     
  4. Apr 12, 2018 #4
    eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's contents of current /usr/local/nginx/conf/cloudflare.conf ?
    Code (Text):
    cat /usr/local/nginx/conf/cloudflare.conf

    would be something like
    Code (Text):
    include /usr/local/nginx/conf/cloudflare_customips.conf;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

    then manually run the cronjob script
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto

    and see what the updated contents of /usr/local/nginx/conf/cloudflare.conf would be

    Also has Cloudflare tech support chimed in on whether set_real_ip_from ::1/128; is needed ? I'd ask them to be 100% sure.
     
  5. Apr 12, 2018 #5
    GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:11 AM
    It is exactly the values you said it was, and I believe I had to tell you before, I supposed you knew about it, but Argo Tunnel uses it's own application (another reverse proxy?) to make the tunnel to Cloudflare network. So I believe nginx sees the REMOTE_ADDR as a local address because first it passes through this application called "cloudflared" and then it goes to nginx.

    How Argo Tunnel Works - Argo Tunnel
     
  6. Apr 12, 2018 #6
    eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If that is the case i'd contact Cloudflare tech support to confirm if using set_real_ip_from ::1/128; is the correct solution for use with Nginx origins.
     
  7. Apr 13, 2018 #7
    GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:11 AM
    I contacted Cloudflare with the following message:

    They replied with:

    So I guess it should be fine.
     
  8. Apr 13, 2018 #8
    eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    2:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Excellent - rest easy with Cloudflare tech support confirmation :)
     
  9. Apr 18, 2018 #9
    BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    11:11 PM
    I will be setting up a tunnel for all our sites soon. Good to know.
     
  10. Feb 1, 2020 #10
    rdan

    rdan Well-Known Member

    5,451
    1,411
    113
    May 25, 2014
    Ratings:
    +2,205
    Local Time:
    12:11 PM
    Mainline
    10.2
    Any reviews and feedback for those who are using Argo Tunnel for several months/year already?
     
Previous Thread Next Thread
Loading...

.