Trust Ogo exit IPs

If you have a security appliance/software (especially from your hosting company), since your traffic will now exit through Ogo's exit IPs, it will probably be necessary to put our outgoing IPs as trusted IPs.

You can find theses trusted IPs here. 

 

AWS

It will be necessary to create a security group rule in your VPC with Ogo's exit IPs, for HTTP (80) and HTTPS (443) protocols.

 

OVH

It is recommended to deactivate the Firewall option:
OVH Web Cloud > Hosting > mydomain.com > Multisite tab > Firewall > Disabled

 

CAA record

If your domain has a CAA record, be sure to allow letsencrypt.org in the field value.

 

Adapt your logs

Since your traffic will now exit through Ogo, your logs may be distorted. However, the true IP of a client is found in the X-Forwarded-For header.

If you are maintaining logs somewhere, you will have to adjust the IP field to the first value of the X-Forwarded-For, not the IP of the request. 

You must adapt the trusted IPs from : List of OGO trusted IPs

Apache :

Apache documentation RemoteIP Module

RemoteIPTrustedProxy 2001:41d0:203:da00::/56
RemoteIPTrustedProxy 2001:41d0:203:9faf::/64
RemoteIPTrustedProxy 2001:41d0:303:f29c::/64
RemoteIPTrustedProxy 2001:41d0:700:4d60::/64
RemoteIPTrustedProxy 109.232.234.201/32
RemoteIPTrustedProxy 148.253.98.208/32
RemoteIPTrustedProxy 135.125.163.96/32
RemoteIPTrustedProxy 163.172.74.84/32
RemoteIPTrustedProxy 37.59.251.192/29
RemoteIPTrustedProxy 148.253.119.44/32
RemoteIPTrustedProxy 148.253.103.161/32
RemoteIPTrustedProxy 152.228.196.160/28
RemoteIPTrustedProxy 163.172.105.73/32
RemoteIPTrustedProxy 152.228.221.175/32
RemoteIPTrustedProxy 152.228.223.156/32
RemoteIPTrustedProxy 54.36.104.130/32
RemoteIPHeader X-Forwarded-For

Nginx :

Nginx documentation RealIP Module

set_real_ip_from 2001:41d0:203:da00::/56;
set_real_ip_from 2001:41d0:203:9faf::/64;
set_real_ip_from 2001:41d0:303:f29c::/64;
set_real_ip_from 2001:41d0:700:4d60::/64;
set_real_ip_from 109.232.234.201/32;
set_real_ip_from 148.253.98.208/32;
set_real_ip_from 135.125.163.96/32;
set_real_ip_from 163.172.74.84/32;
set_real_ip_from 37.59.251.192/29;
set_real_ip_from 148.253.119.44/32;
set_real_ip_from 148.253.103.161/32;
set_real_ip_from 152.228.196.160/28;
set_real_ip_from 163.172.105.73/32;
set_real_ip_from 152.228.221.175/32;
set_real_ip_from 152.228.223.156/32;
set_real_ip_from 54.36.104.130/32;
real_ip_header    X-Forwarded-For;

TTL

Consider setting the TTL of the records to be switched to 1800 seconds to ensure that the DNS propagation is not too long.