Configure Nginx Reverse Proxy behind Cloudflare

On reverse proxy server, lets install some basic utilities.

apt install -y wget
wget https://raw.githubusercontent.com/serverok/server-setup/master/debian/1-basic-tools.sh
bash 1-basic-tools.sh

Install nginx

apt install nginx -y

Now create a config file

vi /etc/nginx/sites-enabled/proxy.conf 

Add following to the file and save

server {
    server_name  YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM;
    listen *:80;
    client_max_body_size 100M;
    proxy_read_timeout 600s;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://BACKEND-SERVER-IP:80;
    }
}

server {

    server_name  YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM;

    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    # use any of the following two
    real_ip_header CF-Connecting-IP;
    #real_ip_header X-Forwarded-For;


    listen 443 ssl http2;
    ssl on;
    ssl_certificate /etc/nginx/ssl/YOUR-DOMAIN.COM.crt;
    ssl_certificate_key /etc/nginx/ssl/YOUR-DOMAIN.COM.key;

    client_max_body_size 100M;
    proxy_read_timeout 600s;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass https://BACKEND-SERVER-IP:443;
    }
}

In above replce following

YOUR-DOMAIN.COM = replace with your actual domain name
BACKEND-SERVER-IP = replace with IP of the web server where your web site is running.

Next create a self signed SSL certificate for the web site

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -out YOUR-DOMAIN.COM.key 2048
openssl req -new -x509 -key YOUR-DOMAIN.COM.key -out YOUR-DOMAIN.COM.crt -days 3650 -subj /CN="YOUR-DOMAIN.COM www.YOUR-DOMAIN.COM"

Restart nginx

nginx -s reload

At this stage, you can login to cloudflare, point IP of the web site to reverse proxy server IP address.

Show real IP address

When running a site behind reverse proxy, by default, web server shows IP of the revese proxy server instead of real visitor IP. To fix this, you need to configure remoteip module.

On Cpanel server, edit file

vi /etc/apache2/conf.modules.d/370_mod_remoteip.conf

Find

RemoteIPTrustedProxy 127.0.0.1

Add your proxy server IP after.

Example

root@lh34134 [~]# cat /etc/apache2/conf.modules.d/370_mod_remoteip.conf
# Enable mod_remoteip
LoadModule remoteip_module modules/mod_remoteip.so

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1 94.242.55.132 104.238.213.205 185.193.126.66 207.246.98.251

root@lh34134 [~]# 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *