Recently I decided to start using Cloudflare in proxy mode again. This lead to needing to wall off the back-end hosts from getting hit by requests outside of Cloudflare's IP ranges.
Ideally if using Cloudflare in proxy mode, only Cloudflare should be able to connect.
There are a few other ways to handle this such as mTLS (authenticated origin pulls) or cloudflared/cloudflare tunnel(s).
For cloudflare tunnels see:
For simplicity at the moment, I'm going to solve this with a simple ACL.
Nginx
Place this script somewhere that cron has permissions to execute and make the script executable with 'chmod +x'.
Modify the output directory and output file as needed for your environment.
Example generated Nginx ACL snippet:
Run the script, then add the resulting snippet to your nginx config - see example nginx config using this generated ACL:
I use cron to update this ACL nightly.
0 0 * * * sh /etc/nginx/scripts/generate-nginx-cloudflare-allow.sh
Reload nginx
Nginx does not apply configurations or changes dynamically. This is one huge strong point of traefik. On each interval that we are updating the ACL file, we also should reload nginx.
Reloading nginx is graceful and does not disrupt existing connections.
Schedule this script after the acl script, or run in one after another.
Example cron including the nginx reload script:
0 0 * * * sh /etc/nginx/scripts/generate-nginx-cloudflare-allow.sh && sh /etc/nginx/scripts/test-reload.sh
Additionally, a tool such as cronitor or healthchecks.io would be a good addition to monitor these tasks.
Traefik
Place this script somewhere that CRON has permissions and make executable with 'chmod +x'.
Ensure that in 'traefik.yml' the file provider is configured. Below is a small section of my traefik.yml. I run traefik as a container, so /etc/traefik is a bind mount to a host directory where I store config files.
Then ensure the script is set to output the file as a middleware YAML file to your Traefik config directory.
Traefik, unlike nginx, does not need reloaded when changes are made due to its dynamic nature.