From 9e4fadc0139da984bd91b418d1c0b2a8a4bb40df Mon Sep 17 00:00:00 2001
From: wopox1337 <wopox1337@ya.ru>
Date: Fri, 16 Jan 2026 21:07:13 +0300
Subject: [PATCH] feat: add Cloudflare IP whitelist check

---
 docker-compose.yml                            |  1 +
 nginx/scripts/fetch-cloudflare-ips.sh         | 27 +++++++++++++++++++
 .../templates/edge-https-proxy.conf.template  |  6 +++++
 3 files changed, 34 insertions(+)
 create mode 100755 nginx/scripts/fetch-cloudflare-ips.sh

diff --git a/docker-compose.yml b/docker-compose.yml
index 17cdf23..66ac5d9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,6 +11,7 @@ services:
       - ./nginx/templates:/etc/nginx/templates:ro
       - ./logs/nginx:/var/log/nginx
       - ./nginx/certs:/etc/nginx/certs:ro
+      - ./nginx/scripts/fetch-cloudflare-ips.sh:/docker-entrypoint.d/40-fetch-cloudflare-ips.sh:ro
     environment:
       ORIGIN_NAME: hlds.run
       TZ: Europe/Moscow
diff --git a/nginx/scripts/fetch-cloudflare-ips.sh b/nginx/scripts/fetch-cloudflare-ips.sh
new file mode 100755
index 0000000..7c28624
--- /dev/null
+++ b/nginx/scripts/fetch-cloudflare-ips.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Пути к файлам, которые будут созданы
+ALLOW_FILE="/etc/nginx/cloudflare_ips.conf"
+REAL_IP_FILE="/etc/nginx/cloudflare_realip.conf"
+
+echo "Fetching Cloudflare IPs..."
+
+# Списки IP от Cloudflare
+IPV4_URL="https://www.cloudflare.com/ips-v4"
+IPV6_URL="https://www.cloudflare.com/ips-v6"
+
+# Очищаем или создаем файлы
+echo "# Cloudflare IP Ranges" > "$ALLOW_FILE"
+echo "# Cloudflare Real IP Configuration" > "$REAL_IP_FILE"
+
+# Скачиваем IP и формируем конфиги
+for ip in $(wget -qO- $IPV4_URL) $(wget -qO- $IPV6_URL); do
+    echo "allow $ip;" >> "$ALLOW_FILE"
+    echo "set_real_ip_from $ip;" >> "$REAL_IP_FILE"
+done
+
+# Добавляем финальные директивы
+echo "deny all;" >> "$ALLOW_FILE"
+echo "real_ip_header CF-Connecting-IP;" >> "$REAL_IP_FILE"
+
+echo "Cloudflare IPs updated successfully."
\ No newline at end of file
diff --git a/nginx/templates/edge-https-proxy.conf.template b/nginx/templates/edge-https-proxy.conf.template
index c8d495e..3f85673 100644
--- a/nginx/templates/edge-https-proxy.conf.template
+++ b/nginx/templates/edge-https-proxy.conf.template
@@ -27,6 +27,12 @@ server {
     listen 443 ssl;
     server_name *.${ORIGIN_NAME};
 
+    # Подключаем настройки Real IP, чтобы видеть IP пользователей в логах
+    include /etc/nginx/cloudflare_realip.conf;
+
+    # Ограничиваем доступ: разрешаем только Cloudflare
+    include /etc/nginx/cloudflare_ips.conf;
+
     # SSL сертификаты (скопированы с origin / CF origin cert)
     ssl_certificate     /etc/nginx/certs/fullchain.pem;
     ssl_certificate_key /etc/nginx/certs/privkey.pem;