Want more timely Centmin Mod News Updates?
Become a Member

Nginx CloudFlare IPv6 instead of Google?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Tracy Perry, Oct 8, 2022.

  1. Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    12:37 PM
    1.21.6
    MariaDB 10.3.36
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 124.000 Stable
    • Nginx Version Installed: 1.21.6
    • PHP Version Installed: 8.0.24
    • MariaDB MySQL Version Installed: 10.3.36
    • When was last time updated Centmin Mod code base ? : 10/08/2022
    • Persistent Config:
      Code (Text):
      SET_DEFAULT_MYSQLCHARSET='utf8mb4'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      SELFSIGNEDSSL_ECDSA='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_BROTLI='y'
      PHP_LZFOUR='y'
      PHP_LZF='y'
      PHP_ZSTD='y'
      DMOTD_PHPCHECK='y'
      MM_LICENSE_KEY='xxxxxxxxxxxxx'
      MM_CSF_SRC='y'
      PUREFTPD_DISABLED='y'
      

    Is there an issue with nginx not passing through the correct IPv6 addresses that come through CloudFlare that anyone else has noticed? I noticed that the Google 'bots refer back to Google IP's for IPv4... but the one Google bot using IPv6 came back to a CloudFlare IP

    Screen Shot 2022-10-08 at 8.32.41 AM.png

    Screen Shot 2022-10-08 at 8.33.05 AM.png

    Screen Shot 2022-10-08 at 8.40.26 AM.png

    Screen Shot 2022-10-08 at 8.40.40 AM.png


    I have the following enabled in my site config
    Code:
    include /usr/local/nginx/conf/cloudflare.conf;
    and it consists of the latest IP ranges, the specific one related being
    Code:
    set_real_ip_from 2a06:98c0::/29;
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    How is the forum reported IP/bot getting the IP geolocation data? It could be that being incorrectly reported on the forum's IP geolocation data source? Pluck the IP into geolocation database query box at What is my IP location? (Geolocation) and see what the various geolocation databases report. Though Maxmind's geolocation data is in that list anymore.
     
  3. Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    12:37 PM
    1.21.6
    MariaDB 10.3.36
    It's the standard process of it being reported to XF... so from what I understand, nginx should be passing the actual origination IP through due to the use of the "set_real_ip" string. I know prior to enabling CloudFlare on the site, the Google IPv6 addresses were reported correctly. So the only "new" thing that has been done is the include in the nginx config file and CloudFlare enabled. I'm wondering if their is an nginx bug involving IPv6 and passing through the actual IPv6?

    And every one of the IP checks returned to CloudFlare, so nginx is passing through the CloudFlare IPv6 address instead of the Google one.

    Since engaging CloudFlare, I'm getting some weird stuff elsewhere also. I can't upload an add-on through the ACP any longer, as I get a peer reset error (502 gateway cloudflare screen) in site error log:
    Code:
    2022/10/08 16:23:19 [error] 720#720: *195 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 64.188.192.81, server: astrowhat.com, request: "POST /admin.php?add-ons/install-from-archive HTTP/2.0", upstream: "fastcgi://127.0.0.1:9000", host: "astrowhat.com", referrer: "https://astrowhat.com/admin.php?add-ons/"
     
    Last edited: Oct 9, 2022
  4. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Check your Cloudflare WAF/Firewall logs too.
    Cloudflare's IP space has evolved now the Apple privacy stuff, evolved CF Warp and other stuff so could something there as ASN 132892 I don't see much of myself. Most CF traffic is coming from ASN 13335 for me. I log all my requests into Cloudflare Firewall on Cloudflare Enterprise and last 30 days only a few requests came from ASN 132892

    upload_2022-10-9_2-36-9.png

    Looks like ASN132892 is reserved for Cloudflare's Security Center scanning and Cloudflare for SaaS custom hostname verification requests. Cloudflare usually do that ASN 13335 for regular proxied traffic and other ASN for other types of traffic/requests

    upload_2022-10-9_2-38-26.png

    upload_2022-10-9_2-39-24.png

    what output do you get for the cronjob run auto updating /usr/local/nginx/conf/cloudflare.conf include file
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto
    

    and what's it's content
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I see some reports for that specific IPv6 address 2a06:98c0:3600::103 reported as impersonating Google bot too at 2a06:98c0:3600::103 | CloudFlare Inc. | AbuseIPDB - I wonder if something Cloudflare Security Scanning is doing to check stuff? As I only see ASN132892 from Cloudflare mainly for scans.

    User agent is
    Code (Text):
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 (compatible; +https://developers.cloudflare.com/security-center/)
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ok asked my fellow Cloudflare MVP folks and they directed me to what Kenton from Cloudflare outlined at A couple other notes: \* The IP address 2a06:98c0:3600::103, mentioned in the ar... | Hacker News as 2a06:98c0:3600::103 is a special IP for CF Worker's outbound source IP.
     
  7. Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    12:37 PM
    1.21.6
    MariaDB 10.3.36
    I think this is going to be something that is related to the BOT function I have enabled on CloudFlare.

    The other issue with the error 4 [SigKill] is going to be directly related to the DO VPS I have set up and the CentMin install. It didn't happen on the older VPS, which was actually a different level and cost. This is one of the newer ones so there is apparently some difference there.
    I finally got CloudFlare totally disabled and the issue was still there, with nginx giving a 502 error as PHP-FPM apparently takes a dump all over itself after the add-on installer upload the add-on and before it can extract it and begin it's process.
    It's one of the "Basic" setups, not the "Premium" Intel/AMD. It's a simple 2vCPU/2GB setup.
     
    Last edited: Oct 9, 2022