diff --git a/Dockerfile b/Dockerfile
index bc4e23a4..8bbac51b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -58,10 +58,10 @@ RUN apk upgrade --no-cache -a && \
     echo "APPSEC_FAILURE_ACTION=deny" | tee -a /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
     sed -i "s|BOUNCING_ON_TYPE=all|BOUNCING_ON_TYPE=ban|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
-FROM zoeyvid/nginx-quic:271
+FROM zoeyvid/nginx-quic:python-275
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
-ARG CRS_VER=v4.1.0
+ARG CRS_VER=v4.2.0
 
 COPY rootfs /
 COPY --from=zoeyvid/certbot-docker:34 /usr/local          /usr/local
diff --git a/README.md b/README.md
index 0a6cb2dc..7b88df72 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ running at home or otherwise, including free TLS, without having to know too muc
 **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
 --->
 **Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>
-**Note: NO armv7 and route53 support.** <br>
+**Note: NO armv7, route53 and aws cloudfront ip ranges support.** <br>
 **Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
diff --git a/backend/internal/ip_ranges.js b/backend/internal/ip_ranges.js
index 19b1f6bf..4518db87 100644
--- a/backend/internal/ip_ranges.js
+++ b/backend/internal/ip_ranges.js
@@ -5,7 +5,6 @@ const error = require('../lib/error');
 const utils = require('../lib/utils');
 const internalNginx = require('./nginx');
 
-const CLOUDFRONT_URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json';
 const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4';
 const CLOUDFARE_V6_URL = 'https://www.cloudflare.com/ips-v6';
 
@@ -57,29 +56,7 @@ const internalIpRanges = {
 			let ip_ranges = [];
 
 			return internalIpRanges
-				.fetchUrl(CLOUDFRONT_URL)
-				.then((cloudfront_data) => {
-					const data = JSON.parse(cloudfront_data);
-
-					if (data && typeof data.prefixes !== 'undefined') {
-						data.prefixes.map((item) => {
-							if (item.service === 'CLOUDFRONT') {
-								ip_ranges.push(item.ip_prefix);
-							}
-						});
-					}
-
-					if (data && typeof data.ipv6_prefixes !== 'undefined') {
-						data.ipv6_prefixes.map((item) => {
-							if (item.service === 'CLOUDFRONT') {
-								ip_ranges.push(item.ipv6_prefix);
-							}
-						});
-					}
-				})
-				.then(() => {
-					return internalIpRanges.fetchUrl(CLOUDFARE_V4_URL);
-				})
+				.fetchUrl(CLOUDFARE_V4_URL)
 				.then((cloudfare_data) => {
 					const items = cloudfare_data.split('\n').filter((line) => regIpV4.test(line));
 					ip_ranges = [...ip_ranges, ...items];
diff --git a/backend/package.json b/backend/package.json
index c2692aee..6dd3e39a 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -4,7 +4,7 @@
   "description": "A beautiful interface for creating Nginx endpoints",
   "main": "index.js",
   "dependencies": {
-    "@apidevtools/json-schema-ref-parser": "11.5.5",
+    "@apidevtools/json-schema-ref-parser": "11.6.1",
     "ajv": "6.12.6",
     "archiver": "7.0.1",
     "batchflow": "0.4.0",
@@ -16,7 +16,7 @@
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
     "knex": "3.1.0",
-    "liquidjs": "10.11.0",
+    "liquidjs": "10.11.1",
     "lodash": "4.17.21",
     "moment": "2.30.1",
     "mysql": "2.18.1",
@@ -29,8 +29,8 @@
   "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
   "license": "MIT",
   "devDependencies": {
-    "@eslint/js": "9.0.0",
-    "eslint": "9.0.0",
+    "@eslint/js": "9.1.1",
+    "eslint": "9.1.1",
     "eslint-config-prettier": "9.1.0",
     "eslint-plugin-prettier": "5.1.3",
     "globals": "15.0.0",
diff --git a/backend/templates/ip_ranges.conf b/backend/templates/ip_ranges.conf
index 8ede2bd9..ee7db935 100644
--- a/backend/templates/ip_ranges.conf
+++ b/backend/templates/ip_ranges.conf
@@ -1,3 +1,11 @@
 {% for range in ip_ranges %}
 set_real_ip_from {{ range }};
-{% endfor %}
\ No newline at end of file
+{% endfor %}
+
+map $http_cf_connecting_ip $real_ip {
+  ""        $http_x_real_ip;
+  default   $http_cf_connecting_ip;
+}
+
+more_set_input_headers "X-IP: $real_ip";
+real_ip_header X-IP;
diff --git a/renovate.json b/renovate.json
index 0897d9b3..24277269 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,7 +2,7 @@
   "extends": [
     "config:base"
   ],
-  "baseBranches": [],
+  "baseBranches": ["develop", "php"],
   "includeForks": true,
   "automerge": false,
   "branchPrefix": "renovate-deps-update-",
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf b/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
index fcad5607..978f6dce 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/acme-challenge.conf
@@ -16,3 +16,7 @@ location = /nftd {
 location /nftd/ {
     alias /nftd/;
 }
+
+location ~ /\.ht {
+    deny all;
+}