From 8d3358a234cc7ef89da74629b9df1ce2fe8d7bb3 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Fri, 28 Nov 2025 14:10:04 +0000 Subject: [PATCH] web: Use Fastly client IP, remove Cloudflare --- cookbooks/web/recipes/frontend.rb | 19 +------------------ .../web/templates/default/apache.frontend.erb | 5 +---- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb index 2ab7d8e9a..b67965594 100644 --- a/cookbooks/web/recipes/frontend.rb +++ b/cookbooks/web/recipes/frontend.rb @@ -60,22 +60,6 @@ template "#{node[:web][:base_directory]}/static/.well-known/security.txt" do mode "644" end -remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list" do - source "https://www.cloudflare.com/ips-v4" - compile_time true - ignore_failure true -end - -cloudflare_ipv4 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list").lines.map(&:chomp) - -remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list" do - source "https://www.cloudflare.com/ips-v6" - compile_time true - ignore_failure true -end - -cloudflare_ipv6 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list").lines.map(&:chomp) - remote_file "#{Chef::Config[:file_cache_path]}/fastly-ip-list.json" do source "https://api.fastly.com/public-ip-list" compile_time true @@ -86,8 +70,7 @@ fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list apache_site "www.openstreetmap.org" do template "apache.frontend.erb" - variables :cloudflare => cloudflare_ipv4 + cloudflare_ipv6, - :fastly => fastlyips["addresses"] + fastlyips["ipv6_addresses"], + variables :fastly => fastlyips["addresses"] + fastlyips["ipv6_addresses"], :status => node[:web][:status], :secret_key_base => web_passwords["secret_key_base"] end diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb index 59325bd29..7a9d60ece 100644 --- a/cookbooks/web/templates/default/apache.frontend.erb +++ b/cookbooks/web/templates/default/apache.frontend.erb @@ -27,10 +27,7 @@ ErrorLog /var/log/apache2/error.log SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key # Get the real remote IP for requests via a trusted proxy - RemoteIPHeader CF-Connecting-IP -<% @cloudflare.sort.each do |address| -%> - RemoteIPTrustedProxy <%= address %> -<% end -%> + RemoteIPHeader Fastly-Client-IP # Fastly POPs <% @fastly.sort.each do |address| -%> RemoteIPTrustedProxy <%= address %> -- 2.39.5