v3 did not take into account being deployed on a VPS and getting blocked by Cloudflare. #4783
Description
After the initial startup, I encountered the following error:
nginx: [emerg] invalid number of arguments in "set_real_ip_from" directive in /etc/nginx/conf.d/include/ipranges.conf:13585
I investigated the issue and checked the end of the configuration file, where I found:
# Cloudflare Ranges from: https://www.cloudflare.com/ips-v4
set_real_ip_from <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><>
# Cloudflare Ranges from: https://www.cloudflare.com/ips-v6
set_real_ip_from <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><>
I'm reporting this as a bug.
Many VPS IP ranges are not trusted by Cloudflare, so requests to https://www.cloudflare.com/ips-v4 or /ips-v6 get intercepted by Cloudflare's "5-second challenge" (interstitial page), causing the actual IP lists to be replaced with HTML content. This breaks the Nginx configuration.
I suggest hardcoding Cloudflare's IP ranges in the image or build artifact. Alternatively, during the CI/CD pipeline before each release, automatically fetch the latest Cloudflare IP ranges (and other dynamic upstream IP lists) and embed them into the configuration. This would ensure the config always contains valid CIDR blocks—not HTML error pages—regardless of the deployment environment.