Updating Cloudflare Real IPs
Configuring Daily Real IP Updates
GridPane provides a common configuration and they do update real IPs regularly, but you can set the following up to update these every day.
STEP 1. CREATE THE DAILY UPDATE SHELL SCRIPT
This shell script will contact the Cloudflare servers once a day and create a new updated list of their server blocks. Then the shell will restart Nginx upon successful completion of the update.
nano /opt/gridpane/cloudflare-updates.sh
Save that file with CTRL+O followed by Enter, then exit nano with CTRL+X.
Then from the command line enter:
chmod +x /opt/gridpane/cloudflare-updates.sh
GridPane Includes
GridPane automatically loads the cloudflare-realip.conf
into Nginx. Each individual websites vhost contains this include:
include /etc/nginx/common/gridpane-realip.conf;
And this include contains:
include /etc/nginx/common/*cloudflare-realip.conf;
STEP 2. CREATE A CRONJOB TO RUN THE SHELL SCRIPT
We need to set our new script to update every day, as Cloudflare publishes new IP addresses every day.
Edit your crontab with:
crontab -e
Paste the following two lines at the bottom of the file:
#This script updates the list of Cloudflare servers every day at midnight, server time.
0 0 * * * /opt/gridpane/cloudflare-updates.sh
Save the file with CTRL+O followed by Enter, and exit nano with CTRL+X.
You’ll now always see the original IP addresses in your log files instead of all your traffic looking like it originated at Cloudflare.
If you ever do need forensic analysis or SEO analysis, you’ll be working with correct data.
Setup ShortPixel to Serve WebP Images on Nginx
Create webp-mappings.conf
CREATE WEBP-MAPPINGS.CONF
Create the file with the following command:
nano /etc/nginx/conf.d/webp-mappings.conf
Paste the following block of code:
map $http_accept $webp_suffix {
default "";
"~*webp" ".webp";
}
Create webp-main-context.conf
CREATE A SERVER-WIDE CONFIGURATION
The code supplied by Shortpixel themselves only works on individual sites. We’ve modified it so that you can set live for all your sites in one go and then just never need to worry about it.
To set this up, we need to create a file called shortpixel-webp-main-context.conf
in the /etc/nginx/extra.d/
directory.
Create the file with the following command:
nano /etc/nginx/extra.d/shortpixel-webp-main-context.conf
Paste the following block of code:
location ~* ^(/wp-content/.+).(png|jpe?g)$ {
set $base $1;
set $webp_uri $base$webp_suffix;
set $webp_old_uri $base.$2$webp_suffix;
add_header Vary Accept;
if ( !-f $document_root$webp_uri ) {
add_header X_WebP_GP_Miss $document_root$webp_uri;
}
try_files $webp_uri $webp_old_uri $uri =404; }
Check and reload Nginx
Finally, we need to check if the conf files are correct then reload Nginx.
Test your nginx syntax with:
nginx -t
If there are no errors present, reload nginx with the following command:
gp ngx reload
If WebP images still aren't being served as you expected, please double check your PHP version. If you're still on 7.2, upgrading to 7.3 is both a good idea and may help resolve this issue for you.
Using Fail2Ban with Cloudflare
UPDATE THE CLOUDFLARE.CONF
run the following command to create our new config:
nano /etc/fail2ban/action.d/gpcloudflare.conf
Now copy and paste the info from the GitHub page to add the latest, up-to-date cloudflare.conf
code.
Leave the nano editor open and move on to step 4 below to add your Cloudflare account details.
ADD YOUR CLOUDFLARE DETAILS TO CLOUDFLARE.CONF
Still inside the gpcloudflare.conf
, scroll down to the bottom of the file with your down arrow key. Here you’ll see the following:

We need to enter our API details:
- cftoken = API-Token
- cfuser = email@address.com
Ctrl+O and then press enter to save the file. Then Ctrl+X to exit nano.
UPDATE JAIL.LOCAL
We also need to edit the jail.local file to add the Cloudflare action. To edit the file, use the following command:
nano /etc/fail2ban/jail.local
Here we need to add the following to each of our jails (make sure that iptables-multiport is tabbed over as shown in screenshot):
action = gpcloudflare
iptables-allports

RELOAD FAIL2BAN
Now we need to check your syntax and reload Fail2Ban for our changes to take effect:
fail2ban-client -d && service fail2ban restart