配置目标
在 Cloudflare CDN 代理后面运行 Nginx,正确获取访客真实 IP 并处理 HTTPS。
环境
- Cloudflare(开启 Proxy 橙云模式)
- Ubuntu 22.04 + Nginx 1.24
- 后端服务:Node.js
Nginx 配置
# /etc/nginx/conf.d/app.conf # Cloudflare 真实 IP 透传 set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/13; set_real_ip_from 104.24.0.0/14; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; real_ip_header CF-Connecting-IP; server { listen 80; server_name yourdomain.com; location / { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
验证真实 IP
curl -H ,[object Object], http://localhost/ip ,[object Object],
注意事项
- 定期从 Cloudflare IP 列表 更新 IP 段
- 只在 Cloudflare 代理后面才能信任
CF-Connecting-IP头 - 如果直接访问源站,
CF-Connecting-IP可能被伪造