Tweak nginx config (#1769)

mkst · web-flow · commit 6a3d75151d46 · 2025-12-13T11:57:45.000+09:00
diff --git a/docker-compose.prod.yaml b/docker-compose.prod.yaml
@@ -54,6 +54,7 @@ services:
     volumes:
       # repo files
       - ./nginx/production.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./nginx/geo.conf:/etc/nginx/conf.d/geo.conf:ro
       - ./frontend/down.html:/var/www/decomp.me/down.html:ro
       # certbot
       - ./certbot:/var/www/certbot
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -52,5 +52,6 @@ services:
       - "80:80"
     volumes:
       - ./nginx/development.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./nginx/geo.conf:/etc/nginx/conf.d/geo.conf:ro
       - ./frontend/down.html:/var/www/down.html:ro
       - ./backend/media:/media
diff --git a/nginx/development.conf b/nginx/development.conf
@@ -1,4 +1,4 @@
-# nginx config file used by docker
+include /etc/nginx/conf.d/geo.conf;
 
 server {
     listen 80;
@@ -10,6 +10,10 @@ server {
 
     server_name decomp.local www.decomp.local;
 
+    if ($is_denied) {
+        return 403;
+    }
+
     location / {
         try_files $uri @proxy_frontend;
     }
diff --git a/nginx/geo.conf b/nginx/geo.conf
@@ -0,0 +1,3 @@
+geo $is_denied {
+    default 0;
+}
diff --git a/nginx/production.conf b/nginx/production.conf
@@ -1,3 +1,5 @@
+include /etc/nginx/conf.d/geo.conf;
+
 server {
     listen 80;
     server_name decomp.me www.decomp.me;
@@ -12,7 +14,7 @@ server {
 }
 
 log_format latency_log escape=json
-    '{ "cf_ip":"$http_cf_connecting_ip", "remote":"$remote_addr", '
+    '{ "cf_edge_ip":"$cf_edge_ip", "remote":"$remote_addr", '
     '"time":"$time_iso8601", "request":"$request", "status":$status, '
     '"bytes":$body_bytes_sent, "referer":"$http_referer", "agent":"$http_user_agent", '
     '"rt":$request_time, "urt":"$upstream_response_time", '
@@ -51,6 +53,11 @@ server {
     include /etc/letsencrypt/options-ssl-nginx.conf;
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
+    # Cloudflare
+    set $cf_edge_ip $remote_addr;
+    real_ip_header CF-Connecting-IP;
+    real_ip_recursive on;
+
     # Compression
     gzip on;
     gzip_static on;
@@ -78,6 +85,10 @@ server {
         text/plain
         text/xml;
 
+    if ($is_denied) {
+        return 403;
+    }
+
     location / {
         try_files /dummy.html @proxy_frontend;
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+geo $is_denied {`
	`2`	`+ default 0;`
	`3`	`+}`