Look through cloudflare to get real client IPs

[chef.git] / cookbooks / web / templates / default / apache.frontend.erb

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index 4ee4c459cf769eef7dc17cab194eb154d5e9e09c..9a2cd10a7c64bec52f5f03df2801bfb72482121b 100644 (file)
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -26,6 +26,12 @@ ErrorLog /var/log/apache2/error.log
   SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
   SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 
+  # Get the real remote IP for requests via a trusted proxy
+  RemoteIPHeader CF-Connecting-IP
+<% @cloudflare.sort.each do |address| -%>
+  RemoteIPTrustedProxy <%= address %>
+<% end -%>
+
   #
   # Turn on various features
   #
@@ -35,8 +41,7 @@ ErrorLog /var/log/apache2/error.log
   #
   # Configure timeouts
   #
-  TimeOut 10
-  RequestReadTimeout handshake=10-20,MinRate=500 header=10-20,MinRate=500 body=10-120,MinRate=500
+  RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20-120,MinRate=500
   LogLevel reqtimeout:info
 
   #