Last active
September 26, 2025 21:54
-
-
Save mike-moreau/aca8fdacf7fb78d3bf83334a22ffbd7d to your computer and use it in GitHub Desktop.
Allow only cloudflare IP addresses to prevent firewall bypass (Laravel Forge)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # FORGE CONFIG (DO NOT REMOVE!) | |
| include forge-conf/www.example.com/before/*; | |
| geo $realip_remote_addr $cloudflare_ip { | |
| default 0; | |
| 103.21.244.0/22 1; | |
| 103.22.200.0/22 1; | |
| 103.31.4.0/22 1; | |
| 104.16.0.0/13 1; | |
| 104.24.0.0/14 1; | |
| 108.162.192.0/18 1; | |
| 131.0.72.0/22 1; | |
| 141.101.64.0/18 1; | |
| 162.158.0.0/15 1; | |
| 172.64.0.0/13 1; | |
| 173.245.48.0/20 1; | |
| 188.114.96.0/20 1; | |
| 190.93.240.0/20 1; | |
| 197.234.240.0/22 1; | |
| 198.41.128.0/17 1; | |
| 2400:cb00::/32 1; | |
| 2606:4700::/32 1; | |
| 2803:f800::/32 1; | |
| 2405:b500::/32 1; | |
| 2405:8100::/32 1; | |
| 2a06:98c0::/29 1; | |
| 2c0f:f248::/32 1; | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name www.example.com; | |
| server_tokens off; | |
| root /home/forge/www.example.com/web; | |
| # FORGE SSL (DO NOT REMOVE!) | |
| # ssl_certificate; | |
| # ssl_certificate_key; | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | |
| ssl_prefer_server_ciphers off; | |
| ssl_dhparam /etc/nginx/dhparams.pem; | |
| add_header X-Frame-Options "SAMEORIGIN"; | |
| add_header X-XSS-Protection "1; mode=block"; | |
| add_header X-Content-Type-Options "nosniff"; | |
| index index.html index.htm index.php; | |
| charset utf-8; | |
| # FORGE CONFIG (DO NOT REMOVE!) | |
| include forge-conf/www.example.com/server/*; | |
| if ($cloudflare_ip != 1) { | |
| return 403; | |
| } | |
| location / { | |
| try_files $uri $uri/ /index.php?$query_string; | |
| } | |
| location = /favicon.ico { access_log off; log_not_found off; } | |
| location = /robots.txt { access_log off; log_not_found off; } | |
| access_log off; | |
| error_log /var/log/nginx/www.example.com-error.log error; | |
| error_page 404 /index.php; | |
| location ~ \.php$ { | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_pass unix:/var/run/php/php8.3-fpm.sock; | |
| fastcgi_index index.php; | |
| include fastcgi_params; | |
| } | |
| location ~ /\.(?!well-known).* { | |
| deny all; | |
| } | |
| } | |
| # FORGE CONFIG (DO NOT REMOVE!) | |
| include forge-conf/www.example.com/after/*; | |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Periodically needs to be updated from https://www.cloudflare.com/en-gb/ips/