From 47821474a57d72e9252670881f1fe3f944e3bd25 Mon Sep 17 00:00:00 2001 From: RyoshiKayo Date: Sun, 11 Feb 2018 23:49:11 -0500 Subject: [PATCH 1/8] Added CloudFlare Supprt for WeebDev/lolisafe#70 --- README.md | 3 +++ cloudflare-ips | 30 ++++++++++++++++++++++++++++++ nginx-ssl.sample.conf | 6 ++++++ nginx.sample.conf | 3 +++ 4 files changed, 42 insertions(+) create mode 100644 cloudflare-ips diff --git a/README.md b/README.md index cf2a480..d0261ef 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,9 @@ Which one you use is ultimately up to you. Either way, I've provided a sample co If you set `enableUserAccounts: true`, people will be able to create accounts on the service to keep track of their uploaded files and create albums to upload stuff to, pretty much like imgur does, but only through the API. Every user account has a token that the user can use to upload stuff through the API. You can find this token on the section called `Change your token` on the administration dashboard, and if it gets leaked or compromised you can renew it by clicking the button titled `Request new token`. +## Cloudflare Support +If you are running lolisafe behind Cloudflare there is support to make the NGINX logs have the users IP instead of Cloudflares IP. ALl you need to do is uncomment the `include /cloudflare-ips;` + ## Using loli-safe Once the service starts you can start hitting the upload endpoint at `/api/upload` with any file. If you're using the frontend to do so then you are pretty much set, but if using the API to upload make sure the form name is set to `files[]` and the form type to `multipart/form-data`. If the service is running in private mode, dont forget to send a header of type `token: YOUR-CLIENT-TOKEN` to validate the request. diff --git a/cloudflare-ips b/cloudflare-ips new file mode 100644 index 0000000..f42e28e --- /dev/null +++ b/cloudflare-ips @@ -0,0 +1,30 @@ +# https://www.cloudflare.com/ips/ + +# IPv4 Ranges +# https://www.cloudflare.com/ips-v4/ +set_real_ip_from 03.21.244.0/22; +set_real_ip_from 03.22.200.0/22; +set_real_ip_from 03.31.4.0/22; +set_real_ip_from 04.16.0.0/12; +set_real_ip_from 08.162.192.0/18; +set_real_ip_from 31.0.72.0/22; +set_real_ip_from 41.101.64.0/18; +set_real_ip_from 62.158.0.0/15; +set_real_ip_from 72.64.0.0/13; +set_real_ip_from 73.245.48.0/20; +set_real_ip_from 88.114.96.0/20; +set_real_ip_from 90.93.240.0/20; +set_real_ip_from 97.234.240.0/22; +set_real_ip_from 98.41.128.0/17; + +# IPv6 Ranges +# https://www.cloudflare.com/ips-v6/ +set_real_ip_from 400:cb00::/32; +set_real_ip_from 405:8100::/32; +set_real_ip_from 405:b500::/32; +set_real_ip_from 606:4700::/32; +set_real_ip_from 803:f800::/32; +set_real_ip_from c0f:f248::/32; +set_real_ip_from a06:98c0::/29; + +real_ip_header CF-Connecting-IP; diff --git a/nginx-ssl.sample.conf b/nginx-ssl.sample.conf index 2172564..2e11adf 100644 --- a/nginx-ssl.sample.conf +++ b/nginx-ssl.sample.conf @@ -7,6 +7,9 @@ server { listen [::]:80; server_name lolisafe.moe; return 301 https://$server_name$request_uri; + + # Uncomment if you are running lolisafe behind CloudFlare. + #include /path/to/lolisafe/cloudflare-ips; } server { @@ -21,6 +24,9 @@ server { client_max_body_size 100M; # Change this to the max file size you want to allow + # Uncomment if you are running lolisafe behind CloudFlare. + #include /path/to/lolisafe/cloudflare-ips; + location / { add_header Access-Control-Allow-Origin *; root /path/to/your/uploads/folder; diff --git a/nginx.sample.conf b/nginx.sample.conf index 71b8855..15b3232 100644 --- a/nginx.sample.conf +++ b/nginx.sample.conf @@ -10,6 +10,9 @@ server { client_max_body_size 100M; # Change this to the max file size you want to allow + # Uncomment if you are running lolisafe behind CloudFlare. + #include /path/to/lolisafe/cloudflare-ips; + location / { add_header Access-Control-Allow-Origin *; root /path/to/your/uploads/folder; From d009c2dcf677698d99466e3deacc7f08ac51c288 Mon Sep 17 00:00:00 2001 From: RyoshiKayo Date: Sun, 11 Feb 2018 23:54:05 -0500 Subject: [PATCH 2/8] Typing is hard --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d0261ef..a3c92f1 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ Which one you use is ultimately up to you. Either way, I've provided a sample co If you set `enableUserAccounts: true`, people will be able to create accounts on the service to keep track of their uploaded files and create albums to upload stuff to, pretty much like imgur does, but only through the API. Every user account has a token that the user can use to upload stuff through the API. You can find this token on the section called `Change your token` on the administration dashboard, and if it gets leaked or compromised you can renew it by clicking the button titled `Request new token`. ## Cloudflare Support -If you are running lolisafe behind Cloudflare there is support to make the NGINX logs have the users IP instead of Cloudflares IP. ALl you need to do is uncomment the `include /cloudflare-ips;` +If you are running lolisafe behind Cloudflare there is support to make the NGINX logs have the users IP instead of Cloudflares IP. All you need to do is uncomment the `include /path/to/lolisafe/cloudflare-ips;` ## Using loli-safe Once the service starts you can start hitting the upload endpoint at `/api/upload` with any file. If you're using the frontend to do so then you are pretty much set, but if using the API to upload make sure the form name is set to `files[]` and the form type to `multipart/form-data`. If the service is running in private mode, dont forget to send a header of type `token: YOUR-CLIENT-TOKEN` to validate the request. From a9d0e0a85cc80aa00b0d860af0aa01297585e94e Mon Sep 17 00:00:00 2001 From: Kayo Date: Sun, 25 Mar 2018 18:16:53 -0700 Subject: [PATCH 3/8] Update github URL --- pages/home.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/home.html b/pages/home.html index 30bff4e..947a4a7 100644 --- a/pages/home.html +++ b/pages/home.html @@ -82,7 +82,7 @@

From 6f7ec5d282523a181569f820283cb2d94023d72f Mon Sep 17 00:00:00 2001 From: Kayo Date: Sun, 1 Apr 2018 23:51:25 -0700 Subject: [PATCH 4/8] Updated IP's --- cloudflare-ips | 30 ------------------------------ real-ip-from-cf | 30 ++++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 30 deletions(-) delete mode 100644 cloudflare-ips create mode 100644 real-ip-from-cf diff --git a/cloudflare-ips b/cloudflare-ips deleted file mode 100644 index f42e28e..0000000 --- a/cloudflare-ips +++ /dev/null @@ -1,30 +0,0 @@ -# https://www.cloudflare.com/ips/ - -# IPv4 Ranges -# https://www.cloudflare.com/ips-v4/ -set_real_ip_from 03.21.244.0/22; -set_real_ip_from 03.22.200.0/22; -set_real_ip_from 03.31.4.0/22; -set_real_ip_from 04.16.0.0/12; -set_real_ip_from 08.162.192.0/18; -set_real_ip_from 31.0.72.0/22; -set_real_ip_from 41.101.64.0/18; -set_real_ip_from 62.158.0.0/15; -set_real_ip_from 72.64.0.0/13; -set_real_ip_from 73.245.48.0/20; -set_real_ip_from 88.114.96.0/20; -set_real_ip_from 90.93.240.0/20; -set_real_ip_from 97.234.240.0/22; -set_real_ip_from 98.41.128.0/17; - -# IPv6 Ranges -# https://www.cloudflare.com/ips-v6/ -set_real_ip_from 400:cb00::/32; -set_real_ip_from 405:8100::/32; -set_real_ip_from 405:b500::/32; -set_real_ip_from 606:4700::/32; -set_real_ip_from 803:f800::/32; -set_real_ip_from c0f:f248::/32; -set_real_ip_from a06:98c0::/29; - -real_ip_header CF-Connecting-IP; diff --git a/real-ip-from-cf b/real-ip-from-cf new file mode 100644 index 0000000..e39c1d2 --- /dev/null +++ b/real-ip-from-cf @@ -0,0 +1,30 @@ +# https://www.cloudflare.com/ips/ + +# IPv4 Ranges +# https://www.cloudflare.com/ips-v4/ +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 104.16.0.0/12; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 131.0.72.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; + +# IPv6 Ranges +# https://www.cloudflare.com/ips-v6/ +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2c0f:f248::/32; +set_real_ip_from 2a06:98c0::/29; + +real_ip_header CF-Connecting-IP; From 535f12b70a9ba499497425627816c3fad848022d Mon Sep 17 00:00:00 2001 From: Kayo Date: Sun, 1 Apr 2018 23:52:09 -0700 Subject: [PATCH 5/8] Updated real-ip-from-cf --- nginx.sample.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.sample.conf b/nginx.sample.conf index 15b3232..1b008ae 100644 --- a/nginx.sample.conf +++ b/nginx.sample.conf @@ -11,7 +11,7 @@ server { client_max_body_size 100M; # Change this to the max file size you want to allow # Uncomment if you are running lolisafe behind CloudFlare. - #include /path/to/lolisafe/cloudflare-ips; + #include /path/to/lolisafe/real-ip-from-cf; location / { add_header Access-Control-Allow-Origin *; From d7c792fa8a2d96c0219b2ca8eca2a573fe66554e Mon Sep 17 00:00:00 2001 From: Kayo Date: Sun, 1 Apr 2018 23:53:26 -0700 Subject: [PATCH 6/8] Add NGINX compile warning --- nginx.sample.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nginx.sample.conf b/nginx.sample.conf index 1b008ae..c702eb2 100644 --- a/nginx.sample.conf +++ b/nginx.sample.conf @@ -11,6 +11,8 @@ server { client_max_body_size 100M; # Change this to the max file size you want to allow # Uncomment if you are running lolisafe behind CloudFlare. + # This requires NGINX compiled from source with: + # --with-http_realip_module #include /path/to/lolisafe/real-ip-from-cf; location / { From 35da812a01a8aea66e0e2a5142bbc2c622979086 Mon Sep 17 00:00:00 2001 From: Kayo Date: Sun, 1 Apr 2018 23:54:42 -0700 Subject: [PATCH 7/8] Mirrored nginx.sample.conf --- nginx-ssl.sample.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nginx-ssl.sample.conf b/nginx-ssl.sample.conf index 2e11adf..72d0028 100644 --- a/nginx-ssl.sample.conf +++ b/nginx-ssl.sample.conf @@ -7,9 +7,6 @@ server { listen [::]:80; server_name lolisafe.moe; return 301 https://$server_name$request_uri; - - # Uncomment if you are running lolisafe behind CloudFlare. - #include /path/to/lolisafe/cloudflare-ips; } server { @@ -25,7 +22,9 @@ server { client_max_body_size 100M; # Change this to the max file size you want to allow # Uncomment if you are running lolisafe behind CloudFlare. - #include /path/to/lolisafe/cloudflare-ips; + # This requires NGINX compiled from source with: + # --with-http_realip_module + #include /path/to/lolisafe/real-ip-from-cf; location / { add_header Access-Control-Allow-Origin *; From 5715a2d1f321724e0d2cb7e53cce4048abd5ab82 Mon Sep 17 00:00:00 2001 From: Kayo Date: Sun, 1 Apr 2018 23:59:03 -0700 Subject: [PATCH 8/8] Updated README about CF support --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a3c92f1..f3e7ba9 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ Which one you use is ultimately up to you. Either way, I've provided a sample co If you set `enableUserAccounts: true`, people will be able to create accounts on the service to keep track of their uploaded files and create albums to upload stuff to, pretty much like imgur does, but only through the API. Every user account has a token that the user can use to upload stuff through the API. You can find this token on the section called `Change your token` on the administration dashboard, and if it gets leaked or compromised you can renew it by clicking the button titled `Request new token`. ## Cloudflare Support -If you are running lolisafe behind Cloudflare there is support to make the NGINX logs have the users IP instead of Cloudflares IP. All you need to do is uncomment the `include /path/to/lolisafe/cloudflare-ips;` +If you are running lolisafe behind Cloudflare there is support to make the NGINX logs have the users IP instead of Cloudflares IP. You will need to compile NGINX from source with `--with-http_realip_module` as well as uncomment the following line in the NGINX config: `include /path/to/lolisafe/real-ip-from-cf;` ## Using loli-safe Once the service starts you can start hitting the upload endpoint at `/api/upload` with any file. If you're using the frontend to do so then you are pretty much set, but if using the API to upload make sure the form name is set to `files[]` and the form type to `multipart/form-data`. If the service is running in private mode, dont forget to send a header of type `token: YOUR-CLIENT-TOKEN` to validate the request.