Adding Cloudflare IPs to Sage Pay whitelist

To enable our site to continue using SagePay as a payment gateway it seems that I need to whitelist the relevant cloudflare IP address within our SagePay account.

Is there an alternative to white listing ALL Cloudflare’s IPs?

There must be a safer way of allowing SagePay payments from a cloudflare server?

Not really because they can change at any time.

I’ve seen

172.64/13
104.16/12
162.158/15

But without guarantee.

But isn’t your host connecting to SagePay to process payments? It’s relevant then and you need to whitelist your server’s IP.

https://www.sagepay.co.uk/support/16/36/adding-an-ip-address-to-your-account

Yes is is the host server that’s connecting to SagePay, but if I ping the domain I get a Cloudflare IP address, so I assume I have to add CloudFlares IP address list?

If I ping my domain I get a cloudflare IP, so I assume SagePay sees a Cloudflare IP.

Is there an alternative, can I pass the original IP through or something?

Login to your dashboard and have a look at the DNS records. Or ask your hosting company, they should know it :wink:

My impression is that SagePay is looking for IP addresses from which it will receive requests.

While your website’s inbound traffic is routed through cloudflare (hence why pinging your domain returns a cloudflare ip), your requests to SagePay likely originate from your server/hosting provider and never see cloudflare.

Try whitelisting your server or asking your hosting provider for a list of addresses to whitelist.

I have already whitelisted my server IP address, but SagePay is blocking payments and reports that the request is from an invalid IP (ie one that has not been whitelisted).

Requests to SagePay are not from the server IP address.

So outbound requests do not go through Cloudflare?

This topic was automatically closed after 14 days. New replies are no longer allowed.