diff options
| -rw-r--r-- | hosts/ahmed/configuration.nix | 3 | ||||
| -rw-r--r-- | modules/cloudflare-proxy/default.nix | 39 | ||||
| -rw-r--r-- | modules/default.nix | 1 |
3 files changed, 43 insertions, 0 deletions
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix index a2a2655..b31e441 100644 --- a/hosts/ahmed/configuration.nix +++ b/hosts/ahmed/configuration.nix @@ -71,6 +71,9 @@ defaults.email = "linusvejlo+${config.networking.hostName}[email protected]"; }; + # We are running behind CF proxy. + my.modules.cloudflare-proxy.enable = true; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave diff --git a/modules/cloudflare-proxy/default.nix b/modules/cloudflare-proxy/default.nix new file mode 100644 index 0000000..73d8893 --- /dev/null +++ b/modules/cloudflare-proxy/default.nix @@ -0,0 +1,39 @@ +# This module adds some extra configuration useful when running behid a Cloudflare Proxy. +# + +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf; + + cfg = config.my.modules.cloudflare-proxy; +in +{ + options.my.modules.cloudflare-proxy.enable = mkEnableOption "Cloudflare proxy IP extraction for NGINX"; + + config = mkIf cfg.enable { + # Teach NGINX how to extract the proxied IP from proxied requests. + # + # See: https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN + services.nginx.commonHttpConfig = + let + realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); + fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); + cfipv4 = fileToList (pkgs.fetchurl { + url = "https://www.cloudflare.com/ips-v4"; + sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; + }); + cfipv6 = fileToList (pkgs.fetchurl { + url = "https://www.cloudflare.com/ips-v6"; + sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; + }); + in + '' + ${realIpsFromList cfipv4} + ${realIpsFromList cfipv6} + real_ip_header CF-Connecting-IP; + ''; + + # TODO: Only allow incomming HTTP{,S} requests from non-Cloudflare IPs. + }; +} diff --git a/modules/default.nix b/modules/default.nix index 5d3961d..ae6789f 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -4,5 +4,6 @@ imports = [ ./linus.onl + ./cloudflare-proxy ]; } |