Yesterday I tried to implement this at nginx server level since I can’t do it globally with iptables and honestly I do not know what to think of Cloudflare…
I made sure my A and WWW record are proxied, but even though they are, I get 403 forbidden all the time, meaning when I visit my site, I m apparently not coming from Cloudflare?. I added my ip to the list to make sure the setup was working and got access immediately. So I don’t know what to think
Actually I kinda got the same problem if trying with iptables. I have a domain that can’t be used with Cloudflare (a free ddns.net) and if I setup the iptables rules then the firewall is effectively blocking me access to that domain. With the domain on Cloudflare it somehow works but doesn’t seem reliable, takes like 10 15min to time out the connection if not using the cf’s proxy
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
include /usr/local/nginx/conf/allow-cloudflare-only.conf;
# https://www.cloudflare.com/ips
# IPv4
allow 131.0.72.0/22;
allow 172.64.0.0/13;
allow 104.24.0.0/14;
allow 104.16.0.0/13;
allow 162.158.0.0/15;
allow 198.41.128.0/17;
allow 197.234.240.0/22;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 108.162.192.0/18;
allow 141.101.64.0/18;
allow 103.31.4.0/22;
allow 103.22.200.0/22;
allow 103.21.244.0/22;
allow 173.245.48.0/20;
allow 131.0.72.0/22;
# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;
deny all; # deny all remaining ips