Add optional support for autogenerated CloudFlare real ip configurati…

…on (#193) * FIX the 'Syntax Error while loading YAML script' error * Add optional support for autogenerated CloudFlare real ip configuration
jdauphant · Jan 4, 2018 · 89ab5bd · 89ab5bd
1 parent 506e6bd
commit 89ab5bd
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -27,6 +27,7 @@ script:
   - cat /etc/nginx/conf.d/upstream.conf
   - cat /etc/nginx/conf.d/geo.conf
   - cat /etc/nginx/conf.d/gzip.conf
+  - cat /etc/nginx/conf.d/cloudflare.conf
   - cat /etc/nginx/snippets/error_pages.conf
   - sudo cat /etc/nginx/auth_basic/demo
   - sudo nginx -t

diff --git a/README.md b/README.md
@@ -95,6 +95,8 @@ nginx_auth_basic_files:
      - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0 # foo:demo , generated by : htpasswd -nb foo demo
      - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ. # bar:demo , generated by : htpasswd -nb bar demo
 
+# Enable Real IP for CloudFlare requests
+nginx_set_real_ip_from_cloudflare: True
 ```
 
 Examples

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -58,3 +58,7 @@ nginx_auth_basic_files: {}
 nginx_remove_auth_basic_files: []
 
 nginx_daemon_mode: "on"
+
+nginx_set_real_ip_from_cloudflare: False
+nginx_cloudflare_real_ip_header: "CF-Connecting-IP" # See: https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-
+nginx_cloudflare_configuration_name: "cloudflare" # Name for the conf file in the conf.d directory
diff --git a/tasks/cloudflare_configuration.yml b/tasks/cloudflare_configuration.yml
@@ -0,0 +1,21 @@
+---
+- name: Get list of CloudFlare IPv4
+  uri:
+    url: https://www.cloudflare.com/ips-v4
+    return_content: yes
+  register: cloudflare_ipv4_list
+  tags: [configuration, nginx]
+
+- name: Get list of CloudFlare IPv6
+  uri:
+    url: https://www.cloudflare.com/ips-v6
+    return_content: yes
+  register: cloudflare_ipv6_list
+  tags: [configuration, nginx]
+
+- name: Create independent configuration for CloudFlare
+  template:
+    src: config_cloudflare.conf.j2
+    dest: "{{ nginx_conf_dir }}/conf.d/{{ nginx_cloudflare_configuration_name }}.conf"
+  notify:
+    - reload nginx
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -35,6 +35,10 @@
 - include: configuration.yml
   tags: [configuration, nginx]
 
+- include: cloudflare_configuration.yml
+  when: nginx_set_real_ip_from_cloudflare == True
+  tags: [configuration, nginx]
+
 - name: Start the nginx service
   service: name={{ nginx_service_name }} state=started enabled=yes
   when: nginx_installation_type in nginx_installation_types_using_service and nginx_daemon_mode == "on"

diff --git a/templates/config_cloudflare.conf.j2 b/templates/config_cloudflare.conf.j2
@@ -0,0 +1,19 @@
+#{{ ansible_managed }}
+
+{% if cloudflare_ipv4_list is defined %}
+{% for cidr in cloudflare_ipv4_list.content.split('\n') %}
+{% if cidr %}
+set_real_ip_from {{ cidr }};
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if cloudflare_ipv6_list is defined %}
+{% for cidr in cloudflare_ipv6_list.content.split('\n') %}
+{% if cidr %}
+set_real_ip_from {{ cidr }};
+{% endif %}
+{% endfor %}
+{% endif %}
+
+real_ip_header {{ nginx_cloudflare_real_ip_header }};
diff --git a/test/example-vars.yml b/test/example-vars.yml
@@ -84,3 +84,6 @@ nginx_auth_basic_files:
   demo:
     - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0  # foo:demo , generated by : htpasswd -nb foo demo
     - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ.  # bar:demo , generated by : htpasswd -nb bar demo
+
+# Enable CloudFlare real ip configuration
+nginx_set_real_ip_from_cloudflare: True