fly-sidecar-poc/nginx.conf at main · code-forge-io/fly-sidecar-poc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Only allow this ip range to set the real_ip_header. This range is used by fly-proxy.
set_real_ip_from    172.16.0.0/16;

# This header only contains one IP, which is the real client ip set by cloudflare.
# This implies that we trust Cloudflare and their settings so its not possible for anyone
# to bypass or spoof any IP for Cf-Connecting-Ip for instance.
real_ip_header      Cf-Connecting-Ip;
limit_req_zone      $binary_remote_addr zone=my_zone:16m rate=1r/s;

# We check the realip_remote_addr if fly-proxy made the request to make sure
# that fly-proxy is not bypassed
geo $realip_remote_addr $is_fly_proxy {
  default          0;
  172.16.0.0/16    1;
}

# We check the fly-client_ip header fly-proxy sets with the client ip from its perspective
# which we expect to be Cloudflare in our case.
geo $http_fly_client_ip $is_cloudflare_client {
  default          0;
  2400:cb00::/32   1;
  2606:4700::/32   1;
  2803:f800::/32   1;
  2405:b500::/32   1;
  2405:8100::/32   1;
  2a06:98c0::/29   1;
  2c0f:f248::/32   1;
  173.245.48.0/20  1;
  103.21.244.0/22  1;
  103.22.200.0/22  1;
  103.31.4.0/22    1;
  141.101.64.0/18  1;
  108.162.192.0/18 1;
  190.93.240.0/20  1;
  188.114.96.0/20  1;
  197.234.240.0/22 1;
  198.41.128.0/17  1;
  162.158.0.0/15   1;
  104.16.0.0/13    1;
  104.24.0.0/14    1;
  172.64.0.0/13    1;
  131.0.72.0/22    1;
}

map "$is_fly_proxy:$is_cloudflare_client" $are_valid_origins {
  default          0;
  "1:1"            1;
}


server {
  listen 8080;
  server_name _;

  set $origin_host_header $http_host;

  add_header X-Sidecar-Response 'true' always;
  add_header X-RA $remote_addr always;
  add_header X-Realip-RA $realip_remote_addr always;
  add_header X-Fly-CIP 'cip:$http_fly_client_ip' always;
  add_header X-Valid-Origins 'V:$are_valid_origins' always;
  add_header X-Is-Fly-Proxy 'is_fly_proxy:$is_fly_proxy' always;
  add_header X-Is-CF-Client 'is_cloudflare_client:$is_cloudflare_client' always;
  port_in_redirect off;

  if ($are_valid_origins != 1) {
    return 403;
  }

  location = /shared-file-nginx {
    alias /my-shared-dir/shared.txt;
    types { text/plain txt; }
    default_type text/plain;

    # Disable all proxies and client caches
    add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
    add_header Pragma "no-cache" always;
    add_header Expires "0" always;
  }

  location / {
    limit_req zone=my_zone burst=1 delay=1;

    proxy_set_header X-Sidecar-Request 'true';
    proxy_set_header X-Orig-XFF $http_x_forwarded_for;
    proxy_set_header X-Remote-Addr $remote_addr;
    proxy_set_header X-RealIp-Remote-Addr $realip_remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $origin_host_header;
    proxy_ignore_headers Vary;

    if ($are_valid_origins) {
      proxy_pass http://localhost:3000;
    }
  }

  location /assets/ {
    proxy_set_header Host $origin_host_header;
    proxy_ignore_headers Vary;

    if ($are_valid_origins) {
      proxy_pass http://localhost:3000;
    }

  }

}