From ea48a713c58713e9a5b5f3915c9242d5c89ae505 Mon Sep 17 00:00:00 2001
From: kappa <kappa@inouter.com>
Date: Sun, 15 Mar 2026 10:56:04 +0900
Subject: [PATCH] =?UTF-8?q?OpenWrt=20CDN=20IP=20=ED=95=84=ED=84=B0=20?=
 =?UTF-8?q?=EC=B6=94=EA=B0=80=20(BunnyCDN=20+=20Cloudflare)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

오리진 직접 접근 차단, CDN 경유만 허용
매일 04:00 자동 업데이트 크론

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 infra/infra-hosts.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infra/infra-hosts.md b/infra/infra-hosts.md
index 7599b7b..769334f 100644
--- a/infra/infra-hosts.md
+++ b/infra/infra-hosts.md
@@ -69,6 +69,10 @@ tags: [infra, network, kr-zone, openwrt]
   - proxy-quic: udp:0.0.0.0:9443 → udp:127.0.0.1:9443
 - **APISIX etcd**: apisix-etcd (incus 컨테이너, 10.179.99.101)
 - **OVN 네트워크**: ovn1 (10.165.246.0/24) — hp2↔kr2 간 오버레이
+- **CDN IP 필터**: BunnyCDN + Cloudflare IP만 80/443 허용, 그 외 WAN 차단
+  - 스크립트: `/etc/cdn-filter-update.sh`
+  - nftables: `/etc/nftables.d/10-cdn-filter.nft`
+  - 크론: 매일 04:00 업데이트
 - **DNS rebind 예외**: inouter.com (OpenWrt dnsmasq)
 - 공인 IP `220.120.65.245`는 OpenWrt 라우터의 IP