Question 98127 in Nginx Question posted in
The official documentation can be found here.

Cloudflare > Nginx reverse proxy (NPM) > Digital Ocean specific problem

I am having this very specific problem. Will try my best to describe what is the deal.

I am running a server on Digital Ocean behind NGINX Reverse Proxy (configurations are done through NGINX Proxy Manager).
I create A record in my cloudflare (mydomain.com) pointing to digital ocean droplets IP.
Everything works good:

REQUEST FROM INTERNET > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER.

However, When I am trying to put a single IP address (for example address of my VPN server X.X.X.X ) in nginx reverse proxies Access List (So that only that IP will have access to the server).
Everything stops working, and I know why.
Nginx waits for requests only from X.X.X.X , and because the scheme appears to be like this:

X.X.X.X > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER

I is logical that NGINX doesn’t send any response (because it is waiting for connection from X.X.X.X and the connection comes from CLOUDFLARES PROXYS IP)

The issue is, that when I am turning off cloudflare proxy (toggling the little orange cloud to OFF position) Server doesn’t respond. With my understanding, when I turn it off, connection should be coming like this:

X.X.X.X > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER

Anyone knows what the issue might be? (I am guessing there might be another cloudflare server between My VPN and NGINX Proxy? Or I don’t know something of that kind)
Let me know if you need any additional info I will try to provide everything possible. Thank you everyone in advance.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The problem is solved thanks to @Paolo s answer. I decided to start from the easiest of the cases he provided, so I added all cloudflare IP ranges to my NGINX Revers Proxies access list. Because I run docker behind that proxy, I have several containers that need to be public and some that need to be private (accessible only with my x.x.x.x VPN)

    Case #1 (with orange cloud ON) Now I am able to access conainers that I wanted to be public from any IP address (thanks to new Access List mentioned above)

    REQUEST FROM INTERNET > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER > DOCKER PUBLC CONTAINER

    Case #2 (with gray cloud OFF) after @Paolo pointed out that there may be a connectivity issue between X.X.X.X and NGINX I started to check all configs. He was right, the reverse proxy was misconfigured. After fixing the issue everything started to work as I planned. (Access list was switched from previous one to only allowing X.X.X.X in this case)

    X.X.X.X > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER > DOCKER PRIVATE CONTAINER

    Thanks everyone and special thanks to @Paolo


  2. 0

    For the 1st scenario (orange cloud), you can configure your NGINX to restore the visitor’s original IP (X.X.X.X), since Cloudflare provides this information in HTTP headers. You can see more information in this article but here is a configuration snippet relevant for your reverse proxy:

    set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

#use any of the following two

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

    The list of Cloudflare IP ranges is maintained here.

    For the 2nd scenario (grey cloud), it sounds like there is a connectivity issue between X.X.X.X and your NGINX. You will want to diagnose that using tools such as mtr or also reviewing if you have any Firewall settings in Digitalocean that might prevent the traffic from passing through to your Droplet.

    If you would consider a completely different approach for connecting to your application privately, I recommend the following tutorial as an alternative.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search