🔒 The Problem / 问题背景

If you use a CDN (like EdgeOne or Cloudflare), you must ensure only the CDN can access your origin server. If you leave your origin IP exposed, attackers can bypass the WAF and DDoS you directly.
如果你使用 CDN(如 EdgeOne 或 Cloudflare),必须确保 只有 CDN 能访问你的源站。如果源站 IP 暴露,攻击者可以绕过 WAF 直接攻击你。

Updating the IP whitelist manually is a nightmare because CDN providers update their IP ranges frequently.
手动更新 IP 白名单是一场噩梦,因为 CDN 提供商会频繁更新其 IP 段。

✅ The Solution: CdnOriginUpdater

CdnOriginUpdater is a “set and forget” bash tool that:

  1. Fetches the latest IP ranges from EdgeOne/Cloudflare API.
  2. Generates a valid Nginx allow/deny config.
  3. Atomically updates the file (prevents partial reads).
  4. Safe reloads Nginx only if the config is valid.

CdnOriginUpdater 是一个“一劳永逸”的脚本工具:

  1. 从 EdgeOne/CF API 获取最新 IP 段。
  2. 生成 Nginx allow/deny 配置。
  3. 原子化更新文件(防止并发读写错误)。
  4. 仅在配置通过测试时安全重载 Nginx。

🛠️ Installation & Config / 安装与配置

1. Install

curl -fsSL https://raw.githubusercontent.com/yuanweize/CdnOriginUpdater/main/update_edgeone_allow.sh -o /usr/local/bin/update_cdn_ip.sh
chmod +x /usr/local/bin/update_cdn_ip.sh

2. Configure Nginx

In your nginx.conf or vhost:

server {
    listen 80;
    # Include the generated whitelist
    include /etc/nginx/conf.d/cdn_allow.conf;
    
    location / {
        # Your app logic
    }
}

3. Set Cron Job

Run it every hour to stay safe.
为了安全,每小时运行一次。

# Edit crontab
0 * * * * EDGEONE_IPS_URL="https://api.edgeone.ai/ips" OUT="/etc/nginx/conf.d/cdn_allow.conf" /usr/local/bin/update_cdn_ip.sh

🛡️ Atomic Updates / 原子化更新

The script uses a temporary file strategy:
脚本采用临时文件策略:

  1. Writes to cdn_allow.conf.tmp.
  2. Runs nginx -t to verify syntax.
  3. If safe, moves .tmp to .conf (Atomic mv).
  4. Reloads Nginx.

This ensures your site never breaks due to a bad download or partial file.
这确保了你的站点绝不会因为下载失败或文件不完整而崩溃。