Nginx配置仅允许cloudflare回源IP访问

本例将以centos7下的配置为例子，说明如何让Nginx只接受cloudflare（以下简称cf）的回源请求，不允许其他客户端直接访问源服务器。

首先编写一个脚本，用于自动获取最新的cf回源IP，并转换成nginx的配置文件格式。
将以下shell脚本保存到nginx配置文件夹下
vi /usr/local/nginx/conf/getcfip.sh

#!/bin/bash

filename=cfip.conf
#进入nginx的配置文件目录
cd /usr/local/nginx/conf
rm -f $filename
wget https://www.cloudflare.com/ips-v4
wget https://www.cloudflare.com/ips-v6
#处理IPV4地址
echo "#IPv4" >> $filename
#记得把环回地址加入白名单，否则像是API的本地调用会无法正常工作
echo "allow 127.0.0.1;" >> $filename
cat ips-v4 | while read line
do
    echo "allow $line;" >> $filename
done
#处理IPV6地址
echo "#IPv6" >> $filename
echo "allow ::1;" >> $filename
cat ips-v6 | while read line
do
    echo "allow $line;" >> $filename
done

rm -f ips-v4
rm -f ips-v6
#让nginx重新加载配置
/usr/local/nginx/sbin/nginx -s reload

给与执行权限
chmod +x /usr/local/nginx/conf/getcfip.sh
加入crontab每日定时执行，因为cf的回源IP可能会变，但是改变的频率也不会很高，所以每日更新一次即可
crontab -e
0 0 * * * /usr/local/nginx/conf/getcfip.sh > /dev/null 2>&1
接下来配置nginx，需要注意对于每一个vhost以及主配置文件里的server块都需要进行配置，下面是一个https下默认server的配置
vi /usr/local/nginx/conf/nginx.conf

server
    {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        index index.html index.htm index.php;
        root  /home/wwwroot/default;
        ssl on;
        ssl_certificate /usr/local/nginx/conf/ssl/ttwo/ttwo.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/ttwo/ttwo.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;
        #先include脚本生成的cfip.conf文件，然后再deny all其他的，注意顺序
        include cfip.conf;
        deny all;
        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }

第一次先自己手动运行一下脚本，以便产生cfip白名单配置文件
/usr/local/nginx/conf/getcfip.sh
这里可以看一下白名单配置文件的内容
vi /usr/local/nginx/conf/cfip.conf

#IPv4
allow 127.0.0.1;
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/12;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
#IPv6
allow ::1;
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

如此我们完成了配置，可以从自己的浏览器试一下直接访问服务器的IP或者真实的域名，会直接报403拒绝访问。而访问CDN的域名则可以正常浏览网站。