From eedca01074a302855392cb66ce8d6276baa9691a Mon Sep 17 00:00:00 2001
From: sajenim <its.jassy@pm.me>
Date: Mon, 20 Nov 2023 12:07:15 +0800
Subject: [PATCH] trust cloudflare forward headers

---
 nixos/viridian/services/traefik/default.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix
index e41cfad..96f4a75 100644
--- a/nixos/viridian/services/traefik/default.nix
+++ b/nixos/viridian/services/traefik/default.nix
@@ -73,6 +73,24 @@
         # Hypertext Transfer Protocol Secure
         websecure = {
           address = ":443";
+          # Trust cloudflares forwarded header information
+          forwardedHeaders.trustedIPs = [
+            "173.245.48.0/20"
+            "103.21.244.0/22"
+            "103.22.200.0/22"
+            "103.31.4.0/22"
+            "141.101.64.0/18"
+            "108.162.192.0/18"
+            "190.93.240.0/20"
+            "188.114.96.0/20"
+            "197.234.240.0/22"
+            "198.41.128.0/17"
+            "162.158.0.0/15"
+            "172.64.0.0/13"
+            "131.0.72.0/22"
+            "104.16.0.0/13"
+            "104.24.0.0/14"
+          ];
           # Requests wildcard SSL certs for our services
           http.tls = {
             certResolver = "lets-encrypt";