How to Configure Nginx with Cloudflare & Incapsula


Nginx Cloudflare, Incapsula & PageSpeed IP addresses:

Note: you may need to whitelist the IP addresses for the proxy in CSF Firewall.

If you use Cloudflare, Incapsula.com or Google PageSpeed Service or any reverse proxy in front of Nginx (Varnish cache, PageSpeed service, Cloud DDOS proxy etc), you will need to use Nginx's HttpRealIpModule which is compiled by default for Centmin Mod installs and set the set_real_ip_from and real_ip_header to properly allow Nginx to see the visiting user's real IP address and not the IP address of the reverse proxy or Cloudflare system.



Nginx Cloudflare IP addresses:

Cloudflare KB explains this here and maintains an updated list of Cloudflare IP addresses here. They also have a detailed list of article outlined here.

To use Cloudflare or a reverse proxy in front of Nginx you will need to add the following code to /usr/local/nginx/conf/nginx.conf in the http {} section if all sites on server are protected under Cloudflare. Or for specific domains and sites on server, in their domain name's Nginx vhost file which is being served via Cloudflare i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf within the server { } container. Then restart Nginx web server.

Cloudflare IPs as at March 10th, 2016. A updated list of Cloudflare IP addresses here

For Cloudflare IPv4 addresses:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
real_ip_header CF-Connecting-IP;

For Cloudflare IPv6 addresses: (Note: not entirely sure these are correct for IPv6).

 
# Cloudflare
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

If you'd combining both IPv4 and IPv6 it's the below format with only one real_ip_header CF-Connecting-IP; instance. Add the following code to /usr/local/nginx/conf/nginx.conf in the http {} section and/or any other domain name's Nginx vhost file which is being served via Cloudflare i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf within the server { } container. Then restart Nginx web server.

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
#set_real_ip_from 2400:cb00::/32;
#set_real_ip_from 2405:8100::/32;
#set_real_ip_from 2405:b500::/32;
#set_real_ip_from 2606:4700::/32;
#set_real_ip_from 2803:f800::/32;
#set_real_ip_from 2c0f:f248::/32;
#set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

For a typical reverse proxy i.e. haproxy load balancer which Centminmod.com site uses:

 set_real_ip_from yourreverseproxyip;
 real_ip_header X-Forwarded-For;

Full context examples below:

For Cloudflare:

user              nginx nginx;
worker_processes  1;

worker_rlimit_nofile 51200;

error_log         logs/error.log;

pid               logs/nginx.pid;

events {
    worker_connections  32768;
    use epoll;
}

http {
 # Cloudflare
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
real_ip_header CF-Connecting-IP;

    index  index.php index.html index.htm;
    include       mime.types;
    default_type  application/octet-stream;

For a typical reverse proxy i.e. haproxy load balancer which Centminmod.com site uses:

user              nginx nginx;
worker_processes  1;

worker_rlimit_nofile 51200;

error_log         logs/error.log;

pid               logs/nginx.pid;

events {
    worker_connections  32768;
    use epoll;
}

http {
 set_real_ip_from yourreverseproxyip;
 real_ip_header X-Forwarded-For;

    index  index.php index.html index.htm;
    include       mime.types;
    default_type  application/octet-stream;

You can also use Nginx include file to make editing easier i.e. add the settings to /usr/local/nginx/conf/csfips.conf you create and include it.

user              nginx nginx;
worker_processes  1;

worker_rlimit_nofile 51200;

error_log         logs/error.log;

pid               logs/nginx.pid;

events {
    worker_connections  32768;
    use epoll;
}

http {
include /usr/local/nginx/conf/csfips.conf;

    index  index.php index.html index.htm;
    include       mime.types;
    default_type  application/octet-stream;

with contents of:

 # Cloudflare
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
real_ip_header CF-Connecting-IP;

Save the Nginx vhost file and then restart Nginx server

  service nginx restart

or via command line shortcut

  ngxrestart


Nginx Incapsula IP addresses:

Incapsula.com explains there IP ranges here.

For Incapsula IPv4 addresses:

 # Incapsula
set_real_ip_from 199.83.128.0/21;
set_real_ip_from 198.143.32.0/19;
set_real_ip_from 149.126.72.0/21;
set_real_ip_from 103.28.248.0/22;
set_real_ip_from 45.64.64.0/22;
set_real_ip_from 185.11.124.0/22;
set_real_ip_from 192.230.64.0/18;
set_real_ip_from 107.154.0.0/16;
set_real_ip_from 2a02:e980::/29;
real_ip_header X-Forwarded-For;


Nginx Google PageSpeed Service IP addresses:

Google also explains this in their Google PageSpeed Service FAQ. They don't provide a convenient list of IP addresses though, you have to do some work as explained in 'Google's IP addresses' page. When you run the nslookup commands on that page you get first the list of netblocks then the list of Google IP addresses from each of those netblocks like below.

For Centmin Mod users, first install bind-utils YUM package which contains nslookup command.

  yum -q -y install bind-utils

Then run commands:

nslookup -q=TXT _spf.google.com 8.8.8.8
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

Which output the following:

nslookup -q=TXT _spf.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_spf.google.com text = "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Authoritative answers can be found from:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_netblocks.google.com   text = "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

Authoritative answers can be found from:

nslookup -q=TXT _netblocks2.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_netblocks2.google.com  text = "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"

Authoritative answers can be found from:

nslookup -q=TXT _netblocks3.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_netblocks3.google.com  text = "v=spf1 ip4:172.217.0.0/19 ip4:108.177.96.0/19 ~all"

Authoritative answers can be found from:

Take the ipv4 (and ipv6 ips if you use ipv6) from Non-authoritative answer section to form the list of Google PageSpeed Service's IP address list and add real_ip_header X-Forwarded-For; line to complete what is required for Nginx configuration. Then add the following code to /usr/local/nginx/conf/nginx.conf in the http {} section. Then restart Nginx web server.

For Google PageSpeed Service IPv4 addresses:

 # Google IPs IPv4
set_real_ip_from 64.18.0.0/20;
set_real_ip_from 64.233.160.0/19;
set_real_ip_from 66.102.0.0/20;
set_real_ip_from 66.249.80.0/20;
set_real_ip_from 72.14.192.0/18;
set_real_ip_from 74.125.0.0/16;
set_real_ip_from 108.177.8.0/21;
set_real_ip_from 173.194.0.0/16;
set_real_ip_from 207.126.144.0/20;
set_real_ip_from 209.85.128.0/17;
set_real_ip_from 216.58.192.0/19;
set_real_ip_from 216.239.32.0/19;
set_real_ip_from 172.217.0.0/19;
set_real_ip_from 108.177.96.0/19;
real_ip_header X-Forwarded-For;

For Google PageSpeed Service IPv6 addresses:

 # Google IPs IPv6
set_real_ip_from 2001:4860:4000::/36;
set_real_ip_from 2404:6800:4000::/36;
set_real_ip_from 2607:f8b0:4000::/36;
set_real_ip_from 2800:3f0:4000::/36;
set_real_ip_from 2a00:1450:4000::/36;
set_real_ip_from 2c0f:fb50:4000::/36;
real_ip_header X-Forwarded-For;