Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bobankh/docker-cloudflare-nginx-iptables

Complete solution for deploying backend services behind Cloudflare. Automatically register new backend service container, forward real ip, and only allow http/https traffic from Cloudflare.
https://github.com/bobankh/docker-cloudflare-nginx-iptables

cdn cloudflare docker docker-compose firewall iptables nginx nginx-proxy

Last synced: 26 days ago
JSON representation

Complete solution for deploying backend services behind Cloudflare. Automatically register new backend service container, forward real ip, and only allow http/https traffic from Cloudflare.

Host: GitHub
URL: https://github.com/bobankh/docker-cloudflare-nginx-iptables
Owner: BobAnkh
License: apache-2.0
Created: 2021-10-08T05:08:15.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2024-04-29T08:04:51.000Z (7 months ago)
Last Synced: 2024-10-05T12:24:25.033Z (about 2 months ago)
Topics: cdn, cloudflare, docker, docker-compose, firewall, iptables, nginx, nginx-proxy
Language: Shell
Homepage:
Size: 43.9 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# docker-cloudflare-nginx-iptables

This project is designed for using behind cloudflare CDN. For security reason, you should not expose the original ip address to the public.
This project is motivated by the security need.

This project do a bunch of things:

- Register new containers in nginx automatically (docs of this feature please see [nginx-proxy/nginx-proxy](https://github.com/nginx-proxy/nginx-proxy))
- Forward real ip carried by cloudflare requests to the service containers behind
- Allow only cloudflare to connect to 80,443 ports with iptables
- Automatically update the ip set of cloudflare

This is recommended to use with cloudflare Origin certificates. If you want to use letsencrypt to self-sign certificates, I suggest you to combine this with [evertramos/nginx-proxy-automation](https://github.com/evertramos/nginx-proxy-automation)

**ATTENTION: This will block all the http/https traffic not from Cloudflare on the host, use at your own risk**

## Usage

1. git clone this repo: `git clone https://github.com/BobAnkh/docker-cloudflare-nginx-iptables.git /proxy`
2. copy `.env.sample` to `.env` and modify the corresponding settings to your preference
3. generate default certificates for illegal requests and ssl requests, and place your Cloudflare Origin certificates at the right place if you have or want, e,g., `./data/certs/`
4. run `docker-compose up -d`

You can just use the `setup.sh` script to help you do job 2-3 and place the Cloudflare Origin certificates for your websites manually. It should be in format like: `example.com.crt` and `example.com.key`

Place your Cloudflare Origin certificates in certificates folder e.g., `./data/certs/`

Support for the newset version of `docker-compose`. If you are using an older version, be careful that you may have to change the format of `network` in `docker-compose.yml`.

## Credits

This work is inspired by and based on 5 awesome work:

- [evertramos/nginx-proxy-automation](https://github.com/evertramos/nginx-proxy-automation)
- [nginx-proxy/nginx-proxy](https://github.com/nginx-proxy/nginx-proxy)
- [nginx-proxy/docker-gen](https://github.com/nginx-proxy/docker-gen)
- [VirtusAI/docker-cloudflare-firewall](https://github.com/VirtusAI/docker-cloudflare-firewall)
- [colinmollenhour/docker-confd-firewall](https://github.com/colinmollenhour/docker-confd-firewall)