The main purpose for me is want to make use their WAF. The reason why i don’t use CF is because they have 100Mb upload limit which cannot be skipped and only using their WAF.
As I know HestiaCP have pre-configured to accept CF as server trusted proxy IP. May i know if ussing Bunny, what should I configure to make HestiaCP grab real IP, traffic..etc from bunnyCDN for my HestiaCP console/website/docker(installed seperately)?
Thanks
Take the Cloudflare configuration file (/etc/nginx/conf.d/cloudflare.inc) as a base and create a new one for Bunny CDN IPs (/etc/nginx/conf.d/bunny.inc).
Also, change this:
real_ip_header CF-Connecting-IP;
to this:
real_ip_header X-Real-IP;
Edit /etc/nginx/nginx.conf and comment out the include pointing to cloudflare.inc and add an include for bunny.inc
# Cloudflare IPs
#include /etc/nginx/conf.d/cloudflare.inc;
# Bunny IPs
include /etc/nginx/conf.d/bunny.inc;
After that, restart nginx.
systemctl restart nginx
Notes:
1.- Keep in mind that, by default, you can only use one CDN to extract the real IP. If you want to use multiple CDNs, you need to recompile Nginx with the headers_more module and configure the .inc file differently. I made a script to get the IPs from Cloudflare, Bunny and Fastly and configure the inc file automatically, but, as I said, you must recompile Nginx first.
2.- You must create a script to update Bunny CDN IPs and populate the .inc file, as they change frequently. Just in case, Bunny IPv4 list and Bunny IPv6 list.
Thanks, so if I only use Bunny but do not use CF, then no need to recompile and just follow your instruction above to change to trust Bunny?
Actually, I am not going to use its CDN but only want to use their WAF service. But I think I need to point my server to their IP so it may make trusting required anyway? am I right?
Correct.
Yes and yes 
Are you personally using CF or Bunny, free or paid plan? Or can we do PM chat on this? Thanks
I use Bunny but only to host DNS for several domains and don’t use it as CDN.
o. Coz when I ask Bunny support, it says if using their shield WAF, have to use their CDN anyway. So you only use it for DNS means u are not using their WAF ?
Yes, I only use DNS, no CDN/WAF and yes, to use WAF you must use it as CDN.
Good morning, I initially only used Cloudflare, but in Spain we’re experiencing Cloudflare blocks on weekends from internet providers due to a court order from LaLiga, the Spanish football league.
Currently I use Cloudflare and Bunny, but I’m planning to switch everything to Bunny. Could you share the script for updating IPs and provide instructions?
Thank you very much.
Keep in mind that LaF**Liga also blocks other CDNs, not only Cloudflare.
My script covers CloudFlare, Bunny and Fastly and it uses the module headers_more, if you only plan to switch from Cloudflare to Bunny I should change the script to only cover Bunny and change the logic to not use headers_more, if I’ve time I’ll do it in a while and I’ll post it here.
Here the script update_ips_cdns_nginx_bunny
#!/usr/bin/env bash
# shellcheck disable=SC2129,SC2016
set -euo pipefail
basedir="/var/lib/update_ips_cdn_nginx"
mkdir -p "$basedir"
save_bunny_v4="$basedir/bunny_v4.list"
save_bunny_v6="$basedir/bunny_v6.list"
foutput="/etc/nginx/conf.d/bunny.inc"
must_update=false
# Bunny
bunny_v4="$(curl -fsSLm60 https://bunnycdn.com/api/system/edgeserverlist | jq -r '.[]' | sort -V)"
md5_bunny_v4="$(md5sum <<<"$bunny_v4" | cut -d ' ' -f1)"
if [[ -f "$save_bunny_v4" ]]; then
saved_md5_bunny_v4="$(head -n1 "$save_bunny_v4")"
if [[ "$md5_bunny_v4" != "$saved_md5_bunny_v4" ]]; then
echo "Must update bunny v4"
echo "$md5_bunny_v4" >"$save_bunny_v4"
must_update=true
fi
else
echo "Must update bunny v4"
echo "$md5_bunny_v4" >"$save_bunny_v4"
must_update=true
fi
bunny_v6="$(curl -fsSLm60 https://bunnycdn.com/api/system/edgeserverlist/IPv6/ | jq -r '.[]' | sort -V)"
md5_bunny_v6="$(md5sum <<<"$bunny_v6" | cut -d ' ' -f1)"
if [[ -f "$save_bunny_v6" ]]; then
saved_md5_bunny_v6="$(head -n1 "$save_bunny_v6")"
if [[ "$md5_bunny_v6" != "$saved_md5_bunny_v6" ]]; then
echo "Must update bunny v6"
echo "$md5_bunny_v6" >"$save_bunny_v6"
must_update=true
fi
else
echo "Must update bunny v6"
echo "$md5_bunny_v6" >"$save_bunny_v6"
must_update=true
fi
bunny_all="${bunny_v4}"$'\n'"${bunny_v6}"
if ! $must_update; then
exit
fi
bunny1=""
echo "Updating $foutput"
# Bunny
while IFS= read -r line; do
bunny1+="set_real_ip_from $line;\n"
done <<<"$bunny_all"
echo '# Bunny range' >"$foutput"
echo -e "$bunny1" >>"$foutput"
echo '' >>"$foutput"
echo "real_ip_header X-Real-IP;" >>"$foutput"
if ngtest="$(/usr/sbin/nginx -t 2>&1)"; then
systemctl restart nginx
else
"Nginx configuration error"
echo "$ngtest"
fi
You must also perform this change:
Edit /etc/nginx/nginx.conf and comment out the include pointing to cloudflare.inc and add an include for bunny.inc
# Cloudflare IPs
#include /etc/nginx/conf.d/cloudflare.inc;
# Bunny IPs
include /etc/nginx/conf.d/bunny.inc;
is it because Bunny’s list is not in proper format, so need to process instead of directly put in HestiaCP ipset list?
The list must be parsed to get the right format but the script I posted is not to add them to an ipset, it is to create the conf for Nginx to get the real ip of the connections coming from Bunny.
good, thanks. So I should also add the following whitelist and only allow these to go through 80/443?
https://api.bunny.net/system/edgeserverlist/plain
And one more question, how will be the letsencrypt cert update. After using BunnyCDN, is it auto update by Bunny or still through HestiaCP?
Thanks
If you’re only going to receive traffic on those ports from Bunny, then yes, you can whitelist Bunny’s IPs and configure your firewall to only allow inbound traffic on 80/443 from those Bunny IP addresses.
Just keep in mind that other services (for example webmail) won’t work if they’re accessed directly and you don’t add them to Bunny as well.
Both of them, Bunny will get the certificates to serve your site but you can also issue your own certificates hosted by Hestia so communication from Bunny and your server is secure. You shouldn’t do anything, it should work out of the box.