Hide Origin IP
Betul 👍 itu ide bagus supaya tidak perlu update manual setiap kali Cloudflare menambah/mengubah daftar IP mereka. Kita bisa buat script otomatis yang akan:
-
Download daftar IP Cloudflare terbaru dari URL resminya
-
Simpan ke file (misalnya
/etc/nginx/conf.d/cloudflare.confatau.htaccessuntuk Apache). -
Reload webserver agar aturan langsung aktif.
Berikut contoh script bash untuk Nginx:
#!/bin/bash
# update-cloudflare-ips.sh
CF_DIR="/etc/nginx/cloudflare"
ALLOW_FILE="$CF_DIR/allow.conf"
REALIP_FILE="$CF_DIR/set_real_ip.conf"
mkdir -p $CF_DIR
# Download IP list
curl -s https://www.cloudflare.com/ips-v4 -o $CF_DIR/ips-v4
curl -s https://www.cloudflare.com/ips-v6 -o $CF_DIR/ips-v6
# Generate allow.conf
{
echo "# Cloudflare allow list - $(date)"
while read ip; do
echo "allow $ip;"
done < $CF_DIR/ips-v4
while read ip; do
echo "allow $ip;"
done < $CF_DIR/ips-v6
echo "deny all;"
} > $ALLOW_FILE
# Generate set_real_ip.conf
{
echo "# Cloudflare real IP - $(date)"
while read ip; do
echo "set_real_ip_from $ip;"
done < $CF_DIR/ips-v4
while read ip; do
echo "set_real_ip_from $ip;"
done < $CF_DIR/ips-v6
} > $REALIP_FILE
# Reload nginx
nginx -t && systemctl reload nginx
🔹 Cara pakai:
-
Simpan file script di
/usr/local/bin/update-cloudflare-ips.sh -
chmod +x /usr/local/bin/update-cloudflare-ips.sh -
Tambahkan ke cronjob biar auto update tiap hari:
0 3 * * * /usr/local/bin/update-cloudflare-ips.sh
Mantap mas, sudah rapi 👍.
Tapi problemnya sekarang: daftar allow Cloudflare di vhost masih hardcoded → artinya kalau Cloudflare ganti/tambah IP, harus update manual.
Supaya otomatis, triknya: pisahkan daftar allow ke file terpisah, lalu biarkan script update-cloudflare-ips.sh yang saya kasih kemarin mengisinya.
🔧 Langkah modifikasi vhost
Ubah bagian allow yang panjang itu jadi include file eksternal. Misalnya:
server {
listen 443 ssl;
server_name poltekesos.ac.id www.poltekesos.ac.id;
ssl_certificate /etc/nginx/ssl/2025/poltekesos.crt;
ssl_certificate_key /etc/nginx/ssl/2025/poltekesos.key;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security "max-age=31536000";
access_log /var/log/nginx/poltekesos_ssl.access.log;
error_log /var/log/nginx/poltekesos_ssl.error.log;
# --- Cloudflare trust real IP ---
include /etc/nginx/cloudflare/set_real_ip.conf;
real_ip_header X-Forwarded-For;
location / {
# Izinkan admin
allow 103.184.56.245;
# Izinkan semua Cloudflare ranges (otomatis via script)
include /etc/nginx/cloudflare/allow.conf;
# Semua selain admin + Cloudflare → maintenance
deny all;
error_page 403 = /maintenance.html;
# Backend hanya untuk IP valid
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
modsecurity_rules_file /etc/nginx/modsec/conf/poltekesos.ac.id/modsecurity.conf;
client_max_body_size 1024M;
client_body_buffer_size 1024M;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.16.10.16:80;
}
location = /maintenance.html {
root /var/www/html;
}
}