-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
cloudflare-sync-ips.sh
130 lines (104 loc) · 4.54 KB
/
cloudflare-sync-ips.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo -e "Sorry, you need to run this as root"
exit 1
fi
if [ -f /etc/environment ]; then
# shellcheck disable=SC1091
source /etc/environment
else
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
fi
# get response codes
responseipv4=$(curl --head --location --write-out '%{http_code}' --silent --output /dev/null https://www.cloudflare.com/ips-v4)
responseipv6=$(curl --head --location --write-out '%{http_code}' --silent --output /dev/null https://www.cloudflare.com/ips-v6)
# do only, if both adresses are reachable
if [ "$responseipv4" == "200" ] && [ "$responseipv6" == "200" ]; then
if [[ -n ${CF_SSL_ORIGIN} ]]; then
CF_SSL="${CF_SSL_ORIGIN}"
fi
if [[ -z ${CF_SSL} ]]; then
echo "Select whether HTTP, HTTPS or both should be used to query from cloudflare to the origin server:"
echo "Further information: https://support.cloudflare.com/hc/articles/200170416"$'\n'
echo " 1) Off or flexible (Port 80 will be allowed)"
echo " 2) Complete or complete (strict) (Port 443 will be allowed)"
echo " 3) Both (Port 80 and 443 will be allowed)"
while [[ $CF_SSL != "1" && $CF_SSL != "2" && $CF_SSL != "3" ]]; do
read -rp "Select an option [1-3]: " CF_SSL
done
fi
case $CF_SSL in
1)
PORT="80"
;;
2)
PORT="443"
;;
3)
PORT="80,443"
;;
esac
CURRENT_TIME="$(date +%d.%m.%Y) $(date +%R)"
curl https://www.cloudflare.com/ips-v4 -o /tmp/cf_ipv4
curl https://www.cloudflare.com/ips-v6 -o /tmp/cf_ipv6
sed -i -e '$a\' /tmp/cf_ipv4
cat /tmp/cf_ipv4 /tmp/cf_ipv6 > /tmp/cf_ips
# Nginx
if type "nginx" &> /dev/null; then
CLOUDFLARE_FILE_PATH=/etc/nginx/conf.d/cloudflare_realip.conf
echo "# Cloudflare" > $CLOUDFLARE_FILE_PATH;
echo "# Last Change: $CURRENT_TIME" >> $CLOUDFLARE_FILE_PATH;
echo $'\n'"# - IPv4" >> $CLOUDFLARE_FILE_PATH;
for i in $(cat /tmp/cf_ipv4); do
echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH;
done
echo $'\n'"# - IPv6" >> $CLOUDFLARE_FILE_PATH;
for i in $(cat /tmp/cf_ipv6); do
echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH;
done
echo $'\n'"real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_FILE_PATH;
# test configuration and reload nginx
nginx -t && systemctl restart nginx
fi
# Apache2
if type "apache2ctl" &> /dev/null; then
CLOUDFLARE_FILE_PATH=/etc/apache2/conf-available/cloudflare_realip.conf
if [ ! -f /etc/apache2/mods-available/remoteip.load ]; then
echo "Can't enable Remote-IP Module. This Module is needed! Otherwise RemoteIPTrustedProxy-Command isn't recognized. Skipping..."
else
echo "# Cloudflare" > $CLOUDFLARE_FILE_PATH;
echo "# Last Change: $CURRENT_TIME" >> $CLOUDFLARE_FILE_PATH;
echo $'\n'"# - IPv4" >> $CLOUDFLARE_FILE_PATH;
for i in $(cat /tmp/cf_ipv4); do
echo "RemoteIPTrustedProxy $i" >> $CLOUDFLARE_FILE_PATH;
done
echo $'\n'"# - IPv6" >> $CLOUDFLARE_FILE_PATH;
for i in $(cat /tmp/cf_ipv6); do
echo "RemoteIPTrustedProxy $i" >> $CLOUDFLARE_FILE_PATH;
done
echo $'\n'"RemoteIPHeader CF-Connecting-IP" >> $CLOUDFLARE_FILE_PATH;
# enable module
if [ ! -f /etc/apache2/mods-enabled/remoteip.load ]; then
a2enmod remoteip
fi
if [ ! -f /etc/apache2/conf-enabled/cloudflare_realip.conf ]; then
a2enconf cloudflare_realip
fi
# test configuration and reload apache
apache2ctl configtest && systemctl restart apache2
fi
fi
# ufw if avaiable and active
if type "ufw" &> /dev/null && ! ufw status | grep -q inactive$; then
# delete old rules which are commented clearly with "Cloudflare IP". Don't ever comment an ufw rule with that. Otherwise it will get deleted too.
for NUM in $(ufw status numbered | grep '# Cloudflare IP | Last Change:' | awk -F"[][]" '{print $2}' | tr --delete '[:blank:]' | sort -rn); do
yes | ufw delete "$NUM";
done
# add new ip rules for ufw
for cfip in $(cat /tmp/cf_ips); do
ufw allow proto tcp from "$cfip" to any port $PORT comment "Cloudflare IP | Last Change: $CURRENT_TIME";
done
# reload firewall
ufw reload
fi
fi