mdoules/cloudflare-proxy: Allow local ip addreses

author: Linnnus <[email protected]> 2025-03-16 01:32:51 +0100
committer: Linnnus <[email protected]> 2025-03-16 01:35:09 +0100
commit: 83f80c3236d6be8a0a8a29c5a9bd4c4761cdff14 (patch)
tree: 4d9a8369d9960c6adf1942afd88350c0d82541be /shared/nixos/cloudflare-proxy/default.nix
parent: 0df552f2ee09f04fcb2f70ca749483a3280189cb (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/shared/nixos/cloudflare-proxy/default.nix b/shared/nixos/cloudflare-proxy/default.nix
index 45ccaa6..7725fbb 100644
--- a/shared/nixos/cloudflare-proxy/default.nix
+++ b/shared/nixos/cloudflare-proxy/default.nix
@@ -19,8 +19,21 @@
     hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk=";
   });
 
-  IPv4Whitelist = [metadata.hosts.muhammed.ipAddress];
-  IPv6Whitelist = [];
+  # Allow local IP addresses.
+  # See: https://en.wikipedia.org/wiki/Reserved_IP_addresses
+  IPv4Whitelist = [
+    "100.64.0.0/10 "
+    "10.0.0.0/8"
+    "127.0.0.0/8"
+    "172.16.0.0/12"
+    "192.0.0.0/24"
+    "192.168.0.0/16"
+    "198.18.0.0/15"
+  ];
+  IPv6Whitelist = [
+    "64:ff9b:1::/48 "
+    "fc00::/7"
+  ];
 in {
   config = {
     # Teach NGINX how to extract the proxied IP from proxied requests.
author	Linnnus <[email protected]>	2025-03-16 01:32:51 +0100
committer	Linnnus <[email protected]>	2025-03-16 01:35:09 +0100
commit	83f80c3236d6be8a0a8a29c5a9bd4c4761cdff14 (patch)
tree	4d9a8369d9960c6adf1942afd88350c0d82541be /shared/nixos/cloudflare-proxy/default.nix
parent	0df552f2ee09f04fcb2f70ca749483a3280189cb (diff)