File nginx-cf-realip.spec of Package nginx-cf-realip
Name: nginx-cf-realip
Version: 1.0.1
Release: 1%{?dist}
Summary: NGINX dynamic module for Cloudflare real IP restoration
License: MIT
URL: https://github.com/RumenDamyanov/nginx-cf-realip
Source0: %{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: libcurl-devel
Recommends: nginx >= 1.18.0
Requires: libcurl
Requires: openssl-libs
%description
This NGINX module automatically fetches and maintains Cloudflare's
IPv4 and IPv6 IP ranges, enabling accurate real client IP address
restoration when behind Cloudflare's reverse proxy network.
Features:
* Automatic periodic fetch of Cloudflare IP ranges (IPv4/IPv6)
* Secure HTTPS-only fetching with host validation
* Content hashing to detect changes (SHA-256)
* Atomic configuration updates via temporary files
* Exponential backoff on fetch failures
* Zero external runtime dependencies (embedded fetcher)
* Dynamic module loading (no NGINX recompilation needed)
The module uses libcurl for HTTPS fetching and OpenSSL for SHA-256
hashing. It generates nginx configuration snippets that can be
included to trust Cloudflare's proxy IPs and restore original
client addresses from X-Forwarded-For headers.
%prep
%setup -q
%build
# Use vendored NGINX headers with pre-generated config (nginx-torblocker proven approach)
NGINX_VERSION="1.27.0"
VENDORED_NGINX="%{_builddir}/%{name}-%{version}/vendor/nginx-${NGINX_VERSION}"
# Verify vendored headers and pre-generated config exist
test -d "${VENDORED_NGINX}/src/core" || \
(echo "ERROR: Vendored NGINX headers not found in tarball" && exit 1)
test -f "${VENDORED_NGINX}/objs/ngx_auto_config.h" || \
(echo "ERROR: Pre-generated ngx_auto_config.h not found in tarball" && exit 1)
# Direct gcc compilation using pre-generated headers (nginx-torblocker proven approach)
gcc %{optflags} -shared -fPIC -o ngx_http_cf_realip_module.so \
-I${VENDORED_NGINX}/src/core \
-I${VENDORED_NGINX}/src/event \
-I${VENDORED_NGINX}/src/event/modules \
-I${VENDORED_NGINX}/src/http \
-I${VENDORED_NGINX}/src/http/modules \
-I${VENDORED_NGINX}/src/os/unix \
-I${VENDORED_NGINX}/objs \
src/ngx_http_cf_realip_module.c \
%{?__global_ldflags} -lcurl
%install
# Install module to standard location
NGINX_MODULEDIR="%{_libdir}/nginx/modules"
# Install module (built in build directory, not vendor/nginx/objs/)
install -d %{buildroot}${NGINX_MODULEDIR}
install -m 0755 ngx_http_cf_realip_module.so \
%{buildroot}${NGINX_MODULEDIR}/
# Install documentation
install -d %{buildroot}%{_docdir}/%{name}
install -m 0644 README.md %{buildroot}%{_docdir}/%{name}/
# Install example configuration
install -d %{buildroot}%{_docdir}/%{name}/examples
install -m 0644 conf/example.conf %{buildroot}%{_docdir}/%{name}/examples/
%files
%license LICENSE.md
%doc README.md
%doc %{_docdir}/%{name}/examples/example.conf
%dir %{_libdir}/nginx
%dir %{_libdir}/nginx/modules
%{_libdir}/nginx/modules/ngx_http_cf_realip_module.so
%dir %{_docdir}/%{name}/examples
%post
cat <<EOF
==========================================
nginx-cf-realip module installed!
==========================================
To load this module, add to /etc/nginx/nginx.conf (top-level, before http block):
load_module modules/ngx_http_cf_realip_module.so;
Then configure the module directives. See example:
%{_docdir}/%{name}/examples/example.conf
After configuration, test and reload NGINX:
nginx -t && systemctl reload nginx
==========================================
EOF
%changelog
* Mon Oct 06 2025 Rumen Damyanov <contact@rumenx.com> - 1.0.1-1
- New upstream release 1.0.1
- Automatic Cloudflare IP range synchronization
- SHA-256 content verification for IP list changes
- Exponential backoff retry logic for fetch failures
- Atomic configuration file updates via temporary files
- HTTPS-only fetching with strict host validation
- Support for both IPv4 and IPv6 Cloudflare ranges
- Dynamic module compatible with NGINX 1.18.0+
* Thu Jun 05 2025 Rumen Damyanov <contact@rumenx.com> - 1.0.0-1
- Initial RPM release
- Basic Cloudflare IP range fetching
- Real IP header restoration support
