Skip to content

abnvle/cloudflare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
cf-firewall.sh
cf-firewall.sh
 
 
cf-purge-cache.sh
cf-purge-cache.sh
 
 
cf-realip-nginx.sh
cf-realip-nginx.sh
 
 

Repository files navigation

Cloudflare Scripts

A collection of practical scripts for managing servers behind Cloudflare.

Scripts

cf-firewall.sh

Configures iptables to accept HTTP/HTTPS traffic exclusively from Cloudflare IP ranges, ensuring that all web traffic passes through Cloudflare's proxy. SSH access is kept open on a configurable port.

What it does:

  • Fetches current Cloudflare IPv4 and IPv6 ranges directly from their API
  • Allows ports 80/443 only from Cloudflare IPs
  • Opens SSH on a user-defined port (default: 22)
  • Allows ICMP (ping) for diagnostics
  • Drops and logs all other incoming traffic
  • Persists rules across reboots via netfilter-persistent

Usage:

# Edit SSH_PORT inside the script first
chmod +x cf-firewall.sh
sudo ./cf-firewall.sh

Keeping Cloudflare IPs up to date:

Cloudflare occasionally updates their IP ranges. Add the script to cron to re-apply rules automatically:

sudo crontab -e
# Run every Sunday at 3:00 AM
0 3 * * 0 /path/to/cf-firewall.sh >> /var/log/cf-firewall.log 2>&1

Requirements:

  • Ubuntu Server (tested on 22.04 / 24.04)
  • iptables and curl (pre-installed on most systems)
  • iptables-persistent for rule persistence (apt install iptables-persistent)

cf-realip-nginx.sh

Generates an Nginx config that maps all Cloudflare IP ranges to set_real_ip_from directives, so your access logs and application see the actual client IP instead of Cloudflare's proxy IP.

What it does:

  • Fetches current Cloudflare IPv4 and IPv6 ranges
  • Generates /etc/nginx/conf.d/cloudflare-real-ip.conf with set_real_ip_from for each range
  • Uses CF-Connecting-IP header to restore the original client address
  • Tests Nginx config before reloading - safe to run in production
  • Includes a timestamp in the generated file for easy auditing

Usage:

chmod +x cf-realip-nginx.sh
sudo ./cf-realip-nginx.sh

Keeping it up to date:

sudo crontab -e
# Run every Sunday at 3:00 AM
0 3 * * 0 /path/to/cf-realip-nginx.sh >> /var/log/cf-real-ip.log 2>&1

Requirements:

  • Nginx with ngx_http_realip_module (included in default Ubuntu packages)
  • curl

cf-purge-cache.sh

Purges Cloudflare cache via API. Supports full zone purge and selective purge by URL - useful in CI/CD pipelines or after manual deployments.

What it does:

  • Full cache purge with confirmation prompt (no arguments)
  • Selective purge for one or more specific URLs (passed as arguments)
  • Validates API response and reports errors clearly

Usage:

chmod +x cf-purge-cache.sh

# Purge entire cache (asks for confirmation)
./cf-purge-cache.sh

# Purge specific URLs
./cf-purge-cache.sh https://example.com/page https://example.com/style.css

# Example CI/CD usage (no confirmation needed for URL purge)
./cf-purge-cache.sh https://example.com/assets/app.js

Configuration:

Set CF_API_TOKEN and CF_ZONE_ID at the top of the script. The API token needs the Zone.Cache Purge permission - create one at Cloudflare API Tokens.

Requirements:

  • curl
  • jq (only for selective URL purge)

License

MIT

About

Useful things for cloudflare

evt.pl

Topics

nginx apache iptables nginx-server nginx-configuration iptables-rules iptables-configurations iptables-persistent iptables-firewall apache-configuration coudflare cloudflare-config

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages