Nginx plugin + Cloudflare proxying

[routingMike]

Hello,

I currently proxy websites through CloudFlare. While my web applications do not care about incoming IP, I just noticed that nginx is blocking some IPs from CloudFlare.

For example: https://imgur.com/a/2OYnGUp

Two questions here:

1) I didn't (actively) enable anything that should be blocking incoming http requests. I went through as much of the UI as I can but nothing jumped out at me as being active and would ban IPs. Is there some default WAF config somewhere or otherwise what is causing the nginx plugin proxy to block these IPs?

2) These are CloudFlare IPs. Is there a way to configure nginx (via UI) to show these IPs in this case? There is this nginx module: https://support.cloudflare.com/hc/en-us/articles/200170786-Why-do-my-server-logs-show-CloudFlare-s-IPs-using-CloudFlare- and http://nginx.org/en/docs/http/ngx_http_realip_module.html. Is there a recommended way to activate this module and populate the config for nginx?


Thanks!

[fabian]

Hello,

I currently proxy websites through CloudFlare. While my web applications do not care about incoming IP, I just noticed that nginx is blocking some IPs from CloudFlare.

For example: https://imgur.com/a/2OYnGUp

Two questions here:

1) I didn't (actively) enable anything that should be blocking incoming http requests. I went through as much of the UI as I can but nothing jumped out at me as being active and would ban IPs. Is there some default WAF config somewhere or otherwise what is causing the nginx plugin proxy to block these IPs?

HTTP Server -> Enable "Disable Bot Protection" (Advanced Option)

This option controls if nginx should block some UAs which usually scan the web for vulnerable websites. This keeps some noise away from your webservers. BTW: the IPs are not blocked directly - this is done by a firewall alias. As long as you do not use that, only a single request is blocked.

2) These are CloudFlare IPs. Is there a way to configure nginx (via UI) to show these IPs in this case? There is this nginx module: https://support.cloudflare.com/hc/en-us/articles/200170786-Why-do-my-server-logs-show-CloudFlare-s-IPs-using-CloudFlare- and http://nginx.org/en/docs/http/ngx_http_realip_module.html. Is there a recommended way to activate this module and populate the config for nginx?

Real IP is available and only needs to be configured. Set "Real IP Source" and "Trusted Proxies" in the HTTP Server (should be also advanced).


---

Please note that my nginx plugin is huge, this is why many settings are hidden by default.

[Ornias1993]

I'm going to shamelessly necro this, but not one of the "real ip" header options is supported by cloudflare.
Cloudflare uses the non-standard "cf-Connecting-IP" header to contain the original IP.

[fabian]

In theory they should prefix that one with X- as well since it is non-standard. I can check if I can add this one as well.

[Ornias1993]

I totally agree they should.
As far as I can tell they use X-Real-IP internally, but say they don't pass it to the end user. It seems to be done to prevent conflicts.

X-Forwarded-For they also use, but they say it can include more IP's than just the user send the request, including IP's by cloudflare Proxies.

*edit*
I also noticed another issue:
Cloudflare creates these public IP lists to be used as "Trusted Proxy IP":
https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6


OPNSENSE is awesome by allowing us to use those directly, by creating an alias and selecting "URL Table (IPs)". Which works great.

But, the NGINX plugin doesnt accept aliasses created using the URL or URL TABLE option.
So we cant actually select those aliasses for use with NGINX.
See: https://github.com/opnsense/plugins/blob/45250dd2e5823d059ab55a807f7524264729d8c9/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml#L649

*edit2*
Because I tend to not-be lazy, I've send in a quick-fix PR for the alias selector problem:
https://github.com/opnsense/plugins/pull/1680