Update CF ips every update (#3338)

* Update CF ips every update

* Fine tune sed removal real_ip_header

func/upgrade.sh

@@ -550,6 +550,27 @@ upgrade_b2_tool() {
 	fi
 }
 
+upgrade_cloudflare_ip() {
+	echo "[ * ] Update Cloudflare IP"
+	# https://github.com/ergin/nginx-cloudflare-real-ip/
+	CLOUDFLARE_FILE_PATH='/etc/nginx/conf.d/cloudflare.inc'
+	echo "#Cloudflare" > $CLOUDFLARE_FILE_PATH
+	echo "" >> $CLOUDFLARE_FILE_PATH
+
+	echo "# - IPv4" >> $CLOUDFLARE_FILE_PATH
+	for i in $(curl -s -L https://www.cloudflare.com/ips-v4); do
+		echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH
+	done
+	echo "" >> $CLOUDFLARE_FILE_PATH
+	echo "# - IPv6" >> $CLOUDFLARE_FILE_PATH
+	for i in $(curl -s -L https://www.cloudflare.com/ips-v6); do
+		echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH
+	done
+
+	echo "" >> $CLOUDFLARE_FILE_PATH
+	echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_FILE_PATH
+}
+
 upgrade_phppgadmin() {
 	if [ -n "$(echo $DB_SYSTEM | grep -w 'pgsql')" ]; then
 		pga_release=$(cat /usr/share/phppgadmin/libraries/lib.inc.php | grep appVersion | head -n1 | cut -f2 -d\' | cut -f1 -d-)

install/deb/nginx/nginx.conf

@@ -78,29 +78,8 @@ http {
 	  application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
 	gzip_proxied                    any;
 	gzip_disable                    "MSIE [1-6]\.";
-	# Cloudflare https://www.cloudflare.com/ips
-	set_real_ip_from                103.21.244.0/22;
-	set_real_ip_from                103.22.200.0/22;
-	set_real_ip_from                103.31.4.0/22;
-	set_real_ip_from                104.16.0.0/13;
-	set_real_ip_from                104.24.0.0/14;
-	set_real_ip_from                108.162.192.0/18;
-	set_real_ip_from                131.0.72.0/22;
-	set_real_ip_from                141.101.64.0/18;
-	set_real_ip_from                162.158.0.0/15;
-	set_real_ip_from                172.64.0.0/13;
-	set_real_ip_from                173.245.48.0/20;
-	set_real_ip_from                188.114.96.0/20;
-	set_real_ip_from                190.93.240.0/20;
-	set_real_ip_from                197.234.240.0/22;
-	set_real_ip_from                198.41.128.0/17;
-	# set_real_ip_from 2400:cb00::/32;
-	# set_real_ip_from 2405:8100::/32;
-	# set_real_ip_from 2405:b500::/32;
-	# set_real_ip_from 2606:4700::/32;
-	# set_real_ip_from 2803:f800::/32;
-	# set_real_ip_from 2a06:98c0::/29;
-	# set_real_ip_from 2c0f:f248::/32;
+	# Cloudflare ips
+	include                         /etc/nginx/conf.d/domains/cloudflare.inc;
 	real_ip_header                  CF-Connecting-IP;
 	# SSL PCI compliance
 	ssl_session_cache               shared:SSL:20m;

install/hst-install-debian.sh

@@ -1342,6 +1342,24 @@ if [ -n "$resolver" ]; then
 	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
 fi
 
+# https://github.com/ergin/nginx-cloudflare-real-ip/
+CLOUDFLARE_FILE_PATH='/etc/nginx/conf.d/cloudflare.inc'
+echo "#Cloudflare" > $CLOUDFLARE_FILE_PATH
+echo "" >> $CLOUDFLARE_FILE_PATH
+
+echo "# - IPv4" >> $CLOUDFLARE_FILE_PATH
+for i in $(curl -s -L https://www.cloudflare.com/ips-v4); do
+	echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH
+done
+echo "" >> $CLOUDFLARE_FILE_PATH
+echo "# - IPv6" >> $CLOUDFLARE_FILE_PATH
+for i in $(curl -s -L https://www.cloudflare.com/ips-v6); do
+	echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH
+done
+
+echo "" >> $CLOUDFLARE_FILE_PATH
+echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_FILE_PATH
+
 update-rc.d nginx defaults > /dev/null 2>&1
 systemctl start nginx >> $LOG
 check_result $? "nginx start failed"

install/hst-install-ubuntu.sh

@@ -1388,6 +1388,24 @@ if [ -n "$resolver" ]; then
 	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
 fi
 
+# https://github.com/ergin/nginx-cloudflare-real-ip/
+CLOUDFLARE_FILE_PATH='/etc/nginx/conf.d/cloudflare.inc'
+echo "#Cloudflare" > $CLOUDFLARE_FILE_PATH
+echo "" >> $CLOUDFLARE_FILE_PATH
+
+echo "# - IPv4" >> $CLOUDFLARE_FILE_PATH
+for i in $(curl -s -L https://www.cloudflare.com/ips-v4); do
+	echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH
+done
+echo "" >> $CLOUDFLARE_FILE_PATH
+echo "# - IPv6" >> $CLOUDFLARE_FILE_PATH
+for i in $(curl -s -L https://www.cloudflare.com/ips-v6); do
+	echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH
+done
+
+echo "" >> $CLOUDFLARE_FILE_PATH
+echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_FILE_PATH
+
 update-rc.d nginx defaults > /dev/null 2>&1
 systemctl start nginx >> $LOG
 check_result $? "nginx start failed"

install/upgrade/versions/1.7.0.sh

@@ -111,3 +111,11 @@ if [ "$PHPMYADMIN_KEY" != "" ]; then
 	$BIN/v-delete-sys-pma-sso quiet
 	$BIN/v-add-sys-pma-sso quiet
 fi
+
+if [ -f /etc/nginx/nginx.conf ] && [ ! -f /etc/nginx/conf.d/cloudflare.inc ]; then
+	echo "[ * ] Enable support for updating Cloudflare Ips"
+	sed -i '/set_real_ip_from/d' /etc/nginx/nginx.conf
+	sed -i '/real_ip_header/d' /etc/nginx/nginx.conf
+	sed -i 's|# Cloudflare https://www.cloudflare.com/ips|# Cloudflare https://www.cloudflare.com/ips\n    include /etc/nginx/conf.d/cloudflare.inc;|g' /etc/nginx/nginx.conf
+	# At a later stage a function  will run and will load all the new rules
+fi

src/deb/hestia/postinst

@@ -86,6 +86,9 @@ upgrade_roundcube | tee -a $LOG
 # Upgrade PHP php dependencies
 upgrade_dependencies | tee -a $LOG
 
+# Upgrade Cloudflare IPs if applicable
+upgrade_cloudflare_ip | tee -a $LOG
+
 # Upgrade phpMyAdmin if applicable
 upgrade_phpmyadmin | tee -a $LOG