Monthly Archives: October 2023

Real IP on nginx with Cloudflare

Create the following file

/etc/nginx/cloudflare

with the following content

# Cloudflare IP addresses
# sources
# https://www.cloudflare.com/ips-v4/
# https://www.cloudflare.com/ips-v6/
#
# IPv4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

# IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

The on /etc/nginx/nginx.conf inside http{….}

include /etc/nginx/cloudflare;

Test nginx configurations with nginx -t and if successful stop & start nginx.

Tengine

Tengine is a web server originated by Taobao, the largest e-commerce website in Asia. It is based on the Nginx HTTP server and has many advanced features. Tengine has proven to be very stable and efficient on some of the top 100 websites in the world, including Taobao.comTmall.comYoukuAliExpressLazada and Alibaba Cloud.

  • All features of nginx-1.24.0 are inherited, i.e., it is 100% compatible with nginx.
  • Dynamically reconfigure the servers, locations and upstreams without reloading or restarting worker processes with tengine-ingress.
  • HTTP/3 support (QUIC v1 and draft-29) with xquic.
  • High-speed UDP transmission with kernel-bypass.
  • Dynamically reconfigure routing based on standard and custom HTTP headers, header value, and weights with tengine-ingress.
  • Dynamically reconfigure timeout setting, SSL Redirects, CORS and enabling/disabling robots for the server and location with tengine-ingress.
  • Support the CONNECT HTTP method for forward proxy.
  • Support asynchronous OpenSSL, using hardware such as QAT for HTTPS acceleration.
  • Enhanced operations monitoring, such as asynchronous log & rollback, DNS caching, memory usage, etc.
  • Support server_name in Stream module.
  • More load balancing methods, e.g., consistent hashing, and session persistence.
  • Input body filter support. It’s quite handy to write Web Application Firewalls using this mechanism.
  • Dynamic scripting language (Lua) support, which is very efficient and makes it easy to extend core functionalities.
  • Limits retries for upstream servers (proxy, memcached, fastcgi, scgi, uwsgi).
  • Includes a mechanism to support standalone processes.
  • Protects the server in case system load or memory use goes too high.
  • Multiple CSS or JavaScript requests can be combined into one request to reduce download time.
  • Removes unnecessary white spaces and comments to reduce the size of a page.
  • Proactive health checks of upstream servers can be performed.
  • The number of worker processes and CPU affinities can be set automatically.
  • The limit_req module is enhanced with whitelist support and more conditions are allowed in a single location.
  • Enhanced diagnostic information makes it easier to troubleshoot errors.
  • More user-friendly command lines, e.g., showing all compiled-in modules and supported directives.
  • Expiration times can be specified for certain MIME types.

https://giter.vip/alibaba/tengine