假设CDN是cloudflare,服务器使用nginx
检验IP
获取cloudflare的ip范围
在nginx中配置白名单
一般是单独出来一个white_list.conf
,在需要的时候include。
可以根据需要放置在server
模块或者location
模块。
# white_list.conf
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;
deny all;
server {
listen 80;
server_name example.com;
# include white_list.conf;
...
location /admin {
# include white_list.conf;
...
}
...
}
检验header
有时候获取CDN服务的ip范围有那么一点困难,我们可以约定特殊头部,以此判断是否来自CDN。
假设约定的header为: XYZ-AUTH-TOKEN: foobar114514