Hide Origin IP
Supaya tidak perlu update manual setiap kali Cloudflare menambah/mengubah daftar IP mereka. Kita bisa buat script otomatis yang akan:
-
Download daftar IP Cloudflare terbaru dari URL resminya
-
Simpan ke file (misalnya
/etc/nginx/conf.d/cloudflare.confatau.htaccessuntuk Apache). -
Reload webserver agar aturan langsung aktif.
Berikut contoh script bash untuk Nginx:
#!/bin/bash
# update-cloudflare-ips.sh
CF_DIR="/etc/nginx/cloudflare"
ALLOW_FILE="$CF_DIR/allow.conf"
REALIP_FILE="$CF_DIR/set_real_ip.conf"
mkdir -p $CF_DIR
# Download IP list
curl -s https://www.cloudflare.com/ips-v4 -o $CF_DIR/ips-v4
curl -s https://www.cloudflare.com/ips-v6 -o $CF_DIR/ips-v6
# Generate allow.conf
{
echo "# Cloudflare allow list - $(date)"
while read ip; do
echo "allow $ip;"
done < $CF_DIR/ips-v4
while read ip; do
echo "allow $ip;"
done < $CF_DIR/ips-v6
echo "deny all;"
} > $ALLOW_FILE
# Generate set_real_ip.conf
{
echo "# Cloudflare real IP - $(date)"
while read ip; do
echo "set_real_ip_from $ip;"
done < $CF_DIR/ips-v4
while read ip; do
echo "set_real_ip_from $ip;"
done < $CF_DIR/ips-v6
} > $REALIP_FILE
# Reload nginx
nginx -t && systemctl reload nginx
🔹 Cara pakai:
-
Simpan file script di
/usr/local/bin/update-cloudflare-ips.sh -
chmod +x /usr/local/bin/update-cloudflare-ips.sh -
Tambahkan ke cronjob biar auto update tiap hari:
0 3 * * * /usr/local/bin/update-cloudflare-ips.sh
Mantap mas, sudah rapi đź‘Ť.
Tapi problemnya sekarang: daftar allow Cloudflare di vhost masih hardcoded → artinya kalau Cloudflare ganti/tambah IP, harus update manual.
Supaya otomatis, triknya: pisahkan daftar allow ke file terpisah, lalu biarkan script update-cloudflare-ips.sh yang saya kasih kemarin mengisinya.
🔧 Langkah modifikasi vhost
Ubah bagian allow yang panjang itu jadi include file eksternal. Misalnya:
server {
listen 443 ssl;
server_name poltekesos.ac.id www.poltekesos.ac.id;
ssl_certificate /etc/nginx/ssl/2025/poltekesos.crt;
ssl_certificate_key /etc/nginx/ssl/2025/poltekesos.key;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security "max-age=31536000";
access_log /var/log/nginx/poltekesos_ssl.access.log;
error_log /var/log/nginx/poltekesos_ssl.error.log;
# --- Cloudflare trust real IP ---
include /etc/nginx/cloudflare/set_real_ip.conf;
real_ip_header X-Forwarded-For;
location / {
# Izinkan admin
allow 103.184.56.245;
# Izinkan semua Cloudflare ranges (otomatis via script)
include /etc/nginx/cloudflare/allow.conf;
# Semua selain admin + Cloudflare → maintenance
deny all;
error_page 403 = /maintenance.html;
# Backend hanya untuk IP valid
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
modsecurity_rules_file /etc/nginx/modsec/conf/poltekesos.ac.id/modsecurity.conf;
client_max_body_size 1024M;
client_body_buffer_size 1024M;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.16.10.16:80;
}
location = /maintenance.html {
root /var/www/html;
}
}
👉 Dengan konfigurasi vhost di atas:
-
IP 103.184.56.245 bisa akses normal.
-
Semua IP lain otomatis akan kena
403 Forbidden.
Setelah edit, jangan lupa:
nginx -t
systemctl reload nginx
berikut contoh maintenance page (selain IP 103.184.56.245 yang tetap bisa akses)? Jadi publik lihat halaman "Maintenance" tapi admin tetap bisa buka situs asli.
jadi konsepnya seperti ini:
-
IP admin (103.184.56.245) tetap bisa mengakses website asli.
-
IP lain diarahkan ke halaman statis “Maintenance Mode”.
Caranya:
-
Buat dulu file maintenance (misalnya di
/var/www/html/maintenance.html):
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Maintenance</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
margin-top: 15%;
background: #f4f4f4;
}
.box {
background: #fff;
padding: 40px;
border-radius: 12px;
box-shadow: 0 2px 8px rgba(0,0,0,0.2);
display: inline-block;
}
</style>
</head>
<body>
<div class="box">
<h1>🚧 Maintenance Mode</h1>
<p>Situs sedang dalam perbaikan sementara.<br>
Silakan coba lagi nanti.</p>
</div>
</body>
</html>