Skip to main content
Version: 4.1

Protecting the Control Server with Cloudflare

You may use Cloudflare to protect your control server. You should set Cloudflare up like any other website.

Things to Note

Make sure VirtFusion has a valid SSL certificate per the installation instructions and enable the Full (strict) option for SSL/TLS in Cloudflare.

cloudflare

Do NOT enable Rocket Loader™ under Speed > Optimization. It will cause full page loads.

cloudflare

Detecting the Users Real IP in VirtFusion

All connections to VirtFusion will originate one of the Cloudflare IP ranges, and it will make it difficult to detect the real IP of the connecting user. You can overcome this issue by modifying the control servers NGINX configuration to include the Cloudflare IP ranges.

On the control server via SSH:

nano -w /opt/virtfusion/nginx/conf/nginx.conf 

Add the following in the http { section:

    set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header X-Forwarded-For;

Then restart NGINX:

systemctl restart vf-nginx

The IP ranges above may change from time to time. All the latest Cloudflare ranges can be referenced here.