From a35c6eafb18dbfa84d3707fe029bac74ab492c40 Mon Sep 17 00:00:00 2001
From: Justin Geibel <jtgeibel@gmail.com>
Date: Mon, 18 Nov 2019 21:36:05 -0500
Subject: [PATCH] Add CloudFront IP ranges as trusted for real_ip

This change will allow nginx to recurse past the CloudFront IP
addresses and store the correct client IP address in `$remote_addr`.
It is important that the correct client IP is available for rate
limiting on the publish endpoint and logging.

This list will need to be updated periodically.
---
 config/nginx.conf.erb | 70 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb
index c12f5336bcd..1067911f9f4 100644
--- a/config/nginx.conf.erb
+++ b/config/nginx.conf.erb
@@ -14,6 +14,76 @@ http {
 	real_ip_header X-Forwarded-For;
 	real_ip_recursive on;
 
+	# CloudFront IP addresses from http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
+	# Last updated: 2019-11-18
+	set_real_ip_from 144.220.0.0/16;
+	set_real_ip_from 52.124.128.0/17;
+	set_real_ip_from 54.230.0.0/16;
+	set_real_ip_from 54.239.128.0/18;
+	set_real_ip_from 52.82.128.0/19;
+	set_real_ip_from 99.84.0.0/16;
+	set_real_ip_from 204.246.172.0/24;
+	set_real_ip_from 205.251.192.0/19;
+	set_real_ip_from 54.239.192.0/19;
+	set_real_ip_from 70.132.0.0/18;
+	set_real_ip_from 13.32.0.0/15;
+	set_real_ip_from 13.224.0.0/14;
+	set_real_ip_from 13.35.0.0/16;
+	set_real_ip_from 204.246.164.0/22;
+	set_real_ip_from 204.246.168.0/22;
+	set_real_ip_from 71.152.0.0/17;
+	set_real_ip_from 216.137.32.0/19;
+	set_real_ip_from 205.251.249.0/24;
+	set_real_ip_from 99.86.0.0/16;
+	set_real_ip_from 52.46.0.0/18;
+	set_real_ip_from 52.84.0.0/15;
+	set_real_ip_from 204.246.173.0/24;
+	set_real_ip_from 130.176.0.0/16;
+	set_real_ip_from 64.252.64.0/18;
+	set_real_ip_from 204.246.174.0/23;
+	set_real_ip_from 64.252.128.0/18;
+	set_real_ip_from 205.251.254.0/24;
+	set_real_ip_from 143.204.0.0/16;
+	set_real_ip_from 205.251.252.0/23;
+	set_real_ip_from 204.246.176.0/20;
+	set_real_ip_from 13.249.0.0/16;
+	set_real_ip_from 54.240.128.0/18;
+	set_real_ip_from 205.251.250.0/23;
+	set_real_ip_from 52.222.128.0/17;
+	set_real_ip_from 54.182.0.0/16;
+	set_real_ip_from 54.192.0.0/16;
+	set_real_ip_from 13.124.199.0/24;
+	set_real_ip_from 34.226.14.0/24;
+	set_real_ip_from 52.15.127.128/26;
+	set_real_ip_from 35.158.136.0/24;
+	set_real_ip_from 52.57.254.0/24;
+	set_real_ip_from 18.216.170.128/25;
+	set_real_ip_from 13.52.204.0/23;
+	set_real_ip_from 13.54.63.128/26;
+	set_real_ip_from 13.59.250.0/26;
+	set_real_ip_from 13.210.67.128/26;
+	set_real_ip_from 35.167.191.128/26;
+	set_real_ip_from 52.47.139.0/24;
+	set_real_ip_from 52.199.127.192/26;
+	set_real_ip_from 52.212.248.0/26;
+	set_real_ip_from 52.66.194.128/26;
+	set_real_ip_from 13.113.203.0/24;
+	set_real_ip_from 99.79.168.0/23;
+	set_real_ip_from 34.195.252.0/24;
+	set_real_ip_from 35.162.63.192/26;
+	set_real_ip_from 34.223.12.224/27;
+	set_real_ip_from 52.56.127.0/25;
+	set_real_ip_from 34.223.80.192/26;
+	set_real_ip_from 13.228.69.0/24;
+	set_real_ip_from 34.216.51.0/25;
+	set_real_ip_from 3.231.2.0/25;
+	set_real_ip_from 54.233.255.128/26;
+	set_real_ip_from 18.200.212.0/23;
+	set_real_ip_from 52.52.191.128/26;
+	set_real_ip_from 52.78.247.128/26;
+	set_real_ip_from 52.220.191.0/26;
+	set_real_ip_from 34.232.163.208/29;
+
 	gzip on;
 	gzip_comp_level 2;
 	gzip_proxied any;