I’ve spent a few days trying to get SWAG to only allow Cloudflare IPs. I found this post from a couple years ago: Swag only allow cloudflare IP
I attempted to do the same thing, obviously updating the ignoreip values to be the current CF IPs. I also added the LSIO container mod cloudflare_real-ip to my SWAG container. But when I try to connect to one of my subdomains, I get a 400 Bad Request error.
It seems to be directly tied to adding the following to the ssl.conf file:
ssl_client_certificate /config/keys/cloudflare.crt;
ssl_verify_client on;
error_log /config/log/nginx/cert.log info;
When I comment that out, my proxies work again.
I’m also noticing these errors repeatedly in the cert.log file:
2024/11/21 13:54:32 [info] 942#942: *3137 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 172.70.207.60, server: abc.*, request: "GET /api/v3/command HTTP/2.0", host: "abc.domain.com", referrer: "https://abc.domain.com/"
2024/11/21 13:54:55 [info] 942#942: *3137 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 172.70.207.60, server: abc.*, request: "GET /api/v3/command HTTP/2.0", host: "abc.domain.com", referrer: "https://abc.domain.com/"
2024/11/21 13:54:56 [info] 942#942: *3137 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 172.70.207.60, server: abc.*, request: "GET / HTTP/2.0", host: "abc.domain.com"
Also, just for the full spec list, I’m also using Authelia for MFA. When testing, I temporarily removed the Authelia auth and still got the 400 error with my site not accessible. Pretty sure Authelia is not preventing this from working, but figured I’d mention it just in case.
Does anyone know how to make this work? Lastly, I’m fairly new to nginx and general webserver admin of any kind, so I’m not quite sure how to test further.