From fbc97bdeb9b5089875a88430ca84a50123d98f7c Mon Sep 17 00:00:00 2001 From: noogen Date: Tue, 27 Sep 2022 14:38:26 -0500 Subject: [PATCH] fix cdn ips --- files/etc/nginx/cdn-example.conf | 4 +- files/etc/nginx/geoip2-download.sh | 2 +- files/etc/nginx/geoipme.conf | 14 +++---- files/etc/nginx/geolite2.conf | 38 +++++++++---------- files/etc/nginx/nginx.new | 4 +- .../sites-enabled/proxy-hide-headers.common | 4 ++ files/etc/nginx/sites-enabled/server.conf | 2 +- 7 files changed, 33 insertions(+), 35 deletions(-) diff --git a/files/etc/nginx/cdn-example.conf b/files/etc/nginx/cdn-example.conf index 53fe1ec..26de029 100644 --- a/files/etc/nginx/cdn-example.conf +++ b/files/etc/nginx/cdn-example.conf @@ -16,7 +16,7 @@ server { resolver 8.8.8.8 8.8.4.4; proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $realip_remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 30s; @@ -46,7 +46,7 @@ server { add_header Access-Control-Allow-Origin "*"; add_header X-Cache $upstream_cache_status; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For $realip_remote_addr; include /etc/nginx/sites-enabled/proxy-hide-headers.common; diff --git a/files/etc/nginx/geoip2-download.sh b/files/etc/nginx/geoip2-download.sh index 5c48c56..1d52c9f 100755 --- a/files/etc/nginx/geoip2-download.sh +++ b/files/etc/nginx/geoip2-download.sh @@ -2,4 +2,4 @@ # curl -sLo GeoLite2-ASN.mmdb https://git.io/GeoLite2-ASN.mmdb curl -sLo GeoLite2-City.mmdb https://git.io/GeoLite2-City.mmdb -# curl -sLo GeoLite2-Country.mmdb https://git.io/GeoLite2-Country.mmdb +curl -sLo GeoLite2-Country.mmdb https://git.io/GeoLite2-Country.mmdb diff --git a/files/etc/nginx/geoipme.conf b/files/etc/nginx/geoipme.conf index 9fe5ea6..78767b0 100644 --- a/files/etc/nginx/geoipme.conf +++ b/files/etc/nginx/geoipme.conf @@ -1,26 +1,24 @@ - location ~ /(geoip|geoipme)/?(?.*) { +location ~ /(geoip|geoipme)+/(?.*) { charset utf-8; add_header Cache-Control no-cache; set $realip $ip; if ($ip = '') { - set $realip $remote_addr; + set $realip $realip_remote_addr; } - include /etc/nginx/geolite2.conf; - default_type application/json; - set $mybody '{"ip":"$realip","country_code":"$geoip2_country_code","region_code":"$geoip2_region","region_name":"$geoip2_region_name","city":"$geoip2_city","zip_code":"$geoip2_postal_code","latitude":"$geoip2_latitude","longitude":"$geoip2_longitude","metro_code":"$geoip2_dma_code"}'; + set $mybody '{"ip":"$realip","country_code":"$geoip2_country_code","region_code":"$geoip2_region_code","region_name":"$geoip2_region","city":"$geoip2_city","zip_code":"$geoip2_postal_code","latitude":"$geoip2_latitude","longitude":"$geoip2_longitude","metro_code":"$geoip2_dma_code"}'; if ($arg_format = "xml") { add_header Content-Type application/xml; - set $mybody '$realip$geoip2_country_code$geoip2_country_name$geoip2_region$geoip2_region_name$geoip2_city$geoip2_postal_code$geoip2_latitude$geoip2_longitude$geoip2_dma_code'; + set $mybody '$realip$geoip2_country_code$geoip2_country$geoip2_region_code$geoip2_region$geoip2_city$geoip2_postal_code$geoip2_latitude$geoip2_longitude$geoip2_dma_code'; } if ($arg_format = "csv") { add_header Content-Type text/csv; - set $mybody '$realip,$geoip2_country_code,$geoip2_region,$geoip2_region_name,$geoip2_city,$geoip2_postal_code,$geoip2_latitude,$geoip2_longitude,$geoip2_dma_code'; + set $mybody '$realip,$geoip2_country_code,$geoip2_region_code,$geoip2_region,$geoip2_city,$geoip2_postal_code,$geoip2_latitude,$geoip2_longitude,$geoip2_dma_code'; } if ($arg_callback) { @@ -29,4 +27,4 @@ } return 200 $mybody; -} \ No newline at end of file +} diff --git a/files/etc/nginx/geolite2.conf b/files/etc/nginx/geolite2.conf index 02e3266..79567b0 100644 --- a/files/etc/nginx/geolite2.conf +++ b/files/etc/nginx/geolite2.conf @@ -1,34 +1,30 @@ -if ($realip = '') { - set $realip $remote_addr; -} - -geoip2 /etc/nginx/GeoLite2-City.mmdb { +geoip2 /etc/nginx/GeoLite2-Country.mmdb { auto_reload 60m; $geoip2_metadata_country_build metadata build_epoch; - $geoip2_data_country source=$realip country names en; - $geoip2_data_country_code source=$realip country iso_code; + $geoip2_data_country source=$realip_remote_addr country names en; + $geoip2_data_country_code source=$realip_remote_addr country iso_code; } geoip2 /etc/nginx/GeoLite2-City.mmdb { - auto_reload 60m; + auto_reload 60m; - $geoip2_continent_code source=$realip continent code; - $geoip2_country source=$realip country names en; - $geoip2_country_code source=$realip country iso_code; - $geoip2_region source=$realip subdivisions 0 names en; - $geoip2_region_code source=$realip subdivisions 0 iso_code; - $geoip2_city source=$realip city names en; - $geoip2_postal_code source=$realip postal code; - $geoip2_latitude source=$realip location latitude; - $geoip2_longitude source=$realip location longitude; - $geoip2_time_zone source=$realip location time_zone; - $geoip2_dma_code source=$realip location metro_code; + $geoip2_continent_code source=$realip_remote_addr continent code; + $geoip2_country source=$realip_remote_addr country names en; + $geoip2_country_code source=$realip_remote_addr country iso_code; + $geoip2_region source=$realip_remote_addr subdivisions 0 names en; + $geoip2_region_code source=$realip_remote_addr subdivisions 0 iso_code; + $geoip2_city source=$realip_remote_addr city names en; + $geoip2_postal_code source=$realip_remote_addr postal code; + $geoip2_latitude source=$realip_remote_addr location latitude; + $geoip2_longitude source=$realip_remote_addr location longitude; + $geoip2_time_zone source=$realip_remote_addr location time_zone; + $geoip2_dma_code source=$realip_remote_addr location metro_code; } geoip2 /etc/nginx/GeoLite2-ASN.mmdb { auto_reload 60m; - $geoip2_asn source=$realip autonomous_system_number; - $geoip2_organization source=$realip autonomous_system_organization; + $geoip2_asn source=$realip_remote_addr autonomous_system_number; + $geoip2_organization source=$realip_remote_addr autonomous_system_organization; } diff --git a/files/etc/nginx/nginx.new b/files/etc/nginx/nginx.new index a256bcf..9e7cb92 100644 --- a/files/etc/nginx/nginx.new +++ b/files/etc/nginx/nginx.new @@ -34,11 +34,11 @@ http { server_names_hash_bucket_size 512; # Log format - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + log_format main '$realip_remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format better '-= ngx: $status $request_method $scheme://$host$request_uri $request_time ' - '$remote_addr $body_bytes_sent "$http_referer" ' + '$realip_remote_addr $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log better; diff --git a/files/etc/nginx/sites-enabled/proxy-hide-headers.common b/files/etc/nginx/sites-enabled/proxy-hide-headers.common index a999c52..40f1b02 100644 --- a/files/etc/nginx/sites-enabled/proxy-hide-headers.common +++ b/files/etc/nginx/sites-enabled/proxy-hide-headers.common @@ -12,9 +12,13 @@ proxy_hide_header "X-Amz-Replication-Status"; proxy_hide_header "X-Amz-Expiration"; proxy_hide_header "X-Amz-Version-Id"; proxy_hide_header "X-Amz-Cf-Id"; +proxy_hide_header "X-Amz-Cf-Pop"; proxy_hide_header "Via"; proxy_hide_header "Access-Control-Allow-Origin"; proxy_hide_header "x-amz-meta-s3b-last-modified"; proxy_hide_header "Set-Cookie"; proxy_hide_header "CF-Cache-Status"; proxy_hide_header "cf-ray"; +proxy_hide_header "Server"; +proxy_hide_header "X-Powered-By"; +proxy_hide_header "X-AspNet-Version"; diff --git a/files/etc/nginx/sites-enabled/server.conf b/files/etc/nginx/sites-enabled/server.conf index f962fbf..d84c797 100644 --- a/files/etc/nginx/sites-enabled/server.conf +++ b/files/etc/nginx/sites-enabled/server.conf @@ -46,7 +46,7 @@ server { # proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Real-IP $realip_remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header User-Agent "$http_user_agent";