diff options
| author | Mel <mel@rnrd.eu> | 2025-08-22 03:15:45 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-08-22 03:15:45 +0200 |
| commit | 9e4dc7114f74ed5b86cca8d34cb62b333081a4fe (patch) | |
| tree | e8e56264d19e8969c696d95221a0f95191e11bf6 /modules/foundation/www/default.nix | |
| parent | 053dcf87674a3c75245f87ee69beab197e8fb7a8 (diff) | |
| download | network-9e4dc7114f74ed5b86cca8d34cb62b333081a4fe.tar.zst network-9e4dc7114f74ed5b86cca8d34cb62b333081a4fe.zip | |
Grab real remote IP through Cloudflare proxy
Signed-off-by: Mel <mel@rnrd.eu>
Diffstat (limited to 'modules/foundation/www/default.nix')
| -rw-r--r-- | modules/foundation/www/default.nix | 63 |
1 files changed, 44 insertions, 19 deletions
diff --git a/modules/foundation/www/default.nix b/modules/foundation/www/default.nix index 97e2f2f..5030799 100644 --- a/modules/foundation/www/default.nix +++ b/modules/foundation/www/default.nix @@ -4,6 +4,8 @@ pkgs, lib, util, + cloudflare-ips-v4, + cloudflare-ips-v6, ... }: @@ -13,6 +15,9 @@ let mkIf mkEnableOption mkOption + concatMapStrings + concatLines + splitString ; inherit (config.age) secrets; @@ -109,25 +114,45 @@ in statusPage = true; - commonHttpConfig = '' - log_format json_combined escape=json '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_length":"$request_length",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent",' - '"upstream_response_time":"$upstream_response_time",' - '"upstream_addr":"$upstream_addr",' - '"upstream_status":"$upstream_status"' - '}'; - access_log /var/log/nginx/access.log json_combined; - error_log /var/log/nginx/error.log warn; - ''; + commonHttpConfig = + let + logs = '' + log_format json_combined escape=json '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_length":"$request_length",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent",' + '"upstream_response_time":"$upstream_response_time",' + '"upstream_addr":"$upstream_addr",' + '"upstream_status":"$upstream_status",' + '"cf_connecting_ip":"$http_cf_connecting_ip"' + '}'; + access_log /var/log/nginx/access.log json_combined; + error_log /var/log/nginx/error.log warn; + ''; + + cloudflareAddresses = builtins.filter (ip: ip != "") ( + splitString "\n" '' + ${builtins.readFile cloudflare-ips-v4} + ${builtins.readFile cloudflare-ips-v6} + '' + ); + + realIpLine = ip: "set_real_ip_from ${ip};\n"; + + cloudflare = '' + ${concatMapStrings realIpLine cloudflareAddresses} + + real_ip_header CF-Connecting-IP; + ''; + in + concatLines [ logs cloudflare ]; virtualHosts = { base = mkIf cfg.public (defaultHost rnrdUrl "rnrd.eu" cfg.defaultPage "base"); |