Look through cloudflare to get real client IPs

author Tom Hughes <tom@compton.nu>

Thu, 11 Jul 2024 12:27:32 +0000 (13:27 +0100)

committer Tom Hughes <tom@compton.nu>

Thu, 11 Jul 2024 12:43:08 +0000 (13:43 +0100)
author Tom Hughes <tom@compton.nu>
Thu, 11 Jul 2024 12:27:32 +0000 (13:27 +0100)
committer Tom Hughes <tom@compton.nu>
Thu, 11 Jul 2024 12:43:08 +0000 (13:43 +0100)
diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb

index ec7ce92f533ea7426483151b3a9ac3fa310b6006..f9e733c5b97f7eb8e1e0f01f7159d7a6e4e1cd21 100644 (file)
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -34,6 +34,7 @@ apache_module "proxy"
  apache_module "proxy_fcgi"
  apache_module "lbmethod_byrequests"
  apache_module "lbmethod_bybusyness"
+apache_module "remoteip"
  apache_module "reqtimeout"
  apache_module "rewrite"
  apache_module "unique_id"
@@ -52,9 +53,26 @@ remote_directory "#{node[:web][:base_directory]}/static" do
    files_mode "644"
  end
  
+remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list" do
+  source "https://www.cloudflare.com/ips-v4"
+  compile_time true
+  ignore_failure true
+end
+
+cloudflare_ipv4 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list").lines.map(&:chomp)
+
+remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list" do
+  source "https://www.cloudflare.com/ips-v6"
+  compile_time true
+  ignore_failure true
+end
+
+cloudflare_ipv6 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list").lines.map(&:chomp)
+
  apache_site "www.openstreetmap.org" do
    template "apache.frontend.erb"
-  variables :status => node[:web][:status],
+  variables :cloudflare => cloudflare_ipv4 + cloudflare_ipv6,
+            :status => node[:web][:status],
              :secret_key_base => web_passwords["secret_key_base"]
  end
  
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb

index fb677769e6a3e15220dd50be03256fb7fd43973e..9a2cd10a7c64bec52f5f03df2801bfb72482121b 100644 (file)
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -26,6 +26,12 @@ ErrorLog /var/log/apache2/error.log
    SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
    SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
  
+  # Get the real remote IP for requests via a trusted proxy
+  RemoteIPHeader CF-Connecting-IP
+<% @cloudflare.sort.each do |address| -%>
+  RemoteIPTrustedProxy <%= address %>
+<% end -%>
+
    #
    # Turn on various features
    #
author	Tom Hughes <tom@compton.nu>
	Thu, 11 Jul 2024 12:27:32 +0000 (13:27 +0100)
committer	Tom Hughes <tom@compton.nu>
	Thu, 11 Jul 2024 12:43:08 +0000 (13:43 +0100)
cookbooks/web/recipes/frontend.rb		patch \| blob \| history
cookbooks/web/templates/default/apache.frontend.erb		patch \| blob \| history