Set real IP from GLB

Author: DeviaVir

contrib/nginx.conf.in

@@ -1,3 +1,11 @@
+# Set the IP ranges of your Google Cloud Load Balancer
+set_real_ip_from 130.211.0.0/22;
+set_real_ip_from 35.191.0.0/16;
+
+# Use the IP address in the X-Forwarded-For header as the client IP
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
 geo $limit {
     default 1;
     34.70.28.228/32 0;

run.sh

@@ -7,6 +7,7 @@ MODE=$2
 
 SYNC_SECRET=$4
 SYNC_SOURCE=$5
+NGINX_GCLB_IP=${NGINX_GCLB_IP:-35.201.74.156} # bs.info
 
 if [ -z "$FLAVOR" ] || [ ! -d /srv/explorer/static/$FLAVOR ]; then
     echo "Please provide bitcoin-mainnet, bitcoin-testnet, bitcoin-signet, bitcoin-regtest, liquid-mainnet, liquid-testnet or liquid-regtest as a parameter"
@@ -221,6 +222,11 @@ fi
 preprocess /srv/explorer/source/contrib/nginx.conf.in /etc/nginx/sites-enabled/default
 sed -i 's/user www-data;/user root;/' /etc/nginx/nginx.conf
 
+# Set real IP of service
+if [ -n "NGINX_GCLB_IP" ]; then
+  sed -i "/set_real_ip_from 35.191.0.0\/16;/a set_real_ip_from ${NGINX_GCLB_IP}\/32; # GCLB public IP" /etc/nginx/sites-enabled/default
+fi
+
 # Make mempool contents available over nginx, protected with SYNC_SECRET
 if [ -n "$SYNC_SECRET" ]; then
     echo "sync:{PLAIN}$SYNC_SECRET" > /srv/explorer/htpasswd