Configure Nginx Reverse Proxy behind Cloudflare
On reverse proxy server, lets install some basic utilities.
|
1 2 3 |
apt install -y wget wget https://raw.githubusercontent.com/serverok/server-setup/master/debian/1-basic-tools.sh bash 1-basic-tools.sh |
Install nginx
|
1 |
apt install nginx -y |
Now create a config file
|
1 |
vi /etc/nginx/sites-enabled/proxy.conf |
Add following to the file and save
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
server { server_name YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM; listen *:80; client_max_body_size 100M; proxy_read_timeout 600s; proxy_buffers 16 4k; proxy_buffer_size 2k; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://BACKEND-SERVER-IP:80; } } server { server_name YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; listen 443 ssl http2; ssl on; ssl_certificate /etc/nginx/ssl/YOUR-DOMAIN.COM.crt; ssl_certificate_key /etc/nginx/ssl/YOUR-DOMAIN.COM.key; client_max_body_size 100M; proxy_read_timeout 600s; proxy_buffers 16 4k; proxy_buffer_size 2k; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass https://BACKEND-SERVER-IP:443; } } |
In above replce following
|
1 2 |
YOUR-DOMAIN.COM = replace with your actual domain name BACKEND-SERVER-IP = replace with IP of the web server where your web site is running. |
Next create a self signed SSL certificate for the web site
|
1 2 3 4 |
mkdir /etc/nginx/ssl cd /etc/nginx/ssl openssl genrsa -out YOUR-DOMAIN.COM.key 2048 openssl req -new -x509 -key YOUR-DOMAIN.COM.key -out YOUR-DOMAIN.COM.crt -days 3650 -subj /CN="YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM" |
Restart nginx
|
1 |
nginx -s reload |
At this stage, you can login to cloudflare, point IP of the web site to reverse proxy server IP address.
Show real IP address
When running a site behind reverse proxy, by default, web server shows IP of the revese proxy server instead of real visitor IP. To fix this, you need to configure remoteip module.
On Cpanel server, edit file
|
1 |
vi /etc/apache2/conf.modules.d/370_mod_remoteip.conf |
Find
|
1 |
RemoteIPTrustedProxy 127.0.0.1 |
Add your proxy server IP after.
Example
|
1 2 3 4 5 6 7 8 |
root@lh34134 [~]# cat /etc/apache2/conf.modules.d/370_mod_remoteip.conf # Enable mod_remoteip LoadModule remoteip_module modules/mod_remoteip.so RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy 127.0.0.1 94.242.55.132 104.238.213.205 185.193.126.66 207.246.98.251 root@lh34134 [~]# |