From 2e6e63f173cea7a6bd8bfa5b1a1c2b261f826fae Mon Sep 17 00:00:00 2001
From: Vassiliy Yegorov <va@egorovanet.ru>
Date: Sat, 21 Mar 2026 11:06:08 +0700
Subject: [PATCH] Update nginx.conf

---
 nginx/nginx.conf | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 4589713..609ee26 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -76,11 +76,18 @@ http {
 
             # Host header must match upstream for Cloudflare
             proxy_set_header Host api.elevenlabs.io;
-
-            # Pass through original headers (User-Agent, Accept, etc.)
-            # Do NOT set X-Real-IP or X-Forwarded-For — Cloudflare uses them for bot detection
             proxy_set_header Connection "";
 
+            # Scrub all headers that leak the original client IP
+            # Cloudflare reads these to determine "real" client geo
+            proxy_set_header X-Forwarded-For "";
+            proxy_set_header X-Real-IP "";
+            proxy_set_header True-Client-IP "";
+            proxy_set_header CF-Connecting-IP "";
+            proxy_set_header X-Client-IP "";
+            proxy_set_header Forwarded "";
+            proxy_set_header Via "";
+
             # Remove proxy token before forwarding to upstream
             proxy_set_header X-Proxy-Token "";
 
@@ -114,6 +121,16 @@ http {
 
             proxy_set_header Host api.openai.com;
             proxy_set_header Connection "";
+
+            # Scrub all headers that leak the original client IP
+            proxy_set_header X-Forwarded-For "";
+            proxy_set_header X-Real-IP "";
+            proxy_set_header True-Client-IP "";
+            proxy_set_header CF-Connecting-IP "";
+            proxy_set_header X-Client-IP "";
+            proxy_set_header Forwarded "";
+            proxy_set_header Via "";
+
             proxy_set_header X-Proxy-Token "";
 
             proxy_http_version 1.1;