Block direct IP address

Trying to block direct IP access to the server I googled and found this htaccess code:

<VirtualHost *:80>
ServerName 127.0.0.1
Redirect 403 /
ErrorDocument 403 “No”
DocumentRoot /dev/null/
UseCanonicalName Off
UserDir disabled

But all pages say No.

Using Litespeed which is like Apache.

You best do this on a firewall level and not web server level. Have a look at iptables respectively nftables.

I can’t. I’m on a shared account.

In that case you wont be able to use VirtualHost either and your best bet is https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html, however keep in mind that you wont be able to rewrite IP addresses on a web server level in this case and hence all log files will show Cloudflare addresses and never the actual client address.

My host has mod_cloudflare installed so I see actual IPs.

In that case you will only get the actual address, but never Cloudflare’s and hence cant really limit it to Cloudflare. One workaround might be to require certain Cloudflare specific headers and block the request if they are not present, but thats rather a hack than a proper approach and could be easily bypassed.

Can I do that via htaccess? Becasue that’s pretty much all I have to work with.

You should be able to. You could use mod_rewrite and filter with RewriteCond for CF-Connecting-IP and block the request if that header is not present. But again, thats rather a hack.

Maybe contact your host and they have a better solution.

Could you give me a code example? I’m code stupid here. LOL

Check out https://httpd.apache.org/docs/current/mod/mod_rewrite.html, respectively have a look at StackExchange if the documentation is not clear enough.

I’m using a shared account and I would like to help block direct IP connections. Looking at the headers in the Web Developer of my browser I see server: “cloudflare”. So I thought by adding one of the two codes to my htaccess I’d help block non-cloudflare traffic, but I just get a 403 all the time. What am I doing wrong?

RewriteCond %{HTTP:x-server-header} !^cloudflare$ [NC]
RewriteRule ^ - [F]

RewriteCond %{HTTP:server-header} !^cloudflare$ [NC]
RewriteRule ^ - [F]

This is what I put in .htaccess:

RewriteEngine On
RewriteCond %{HTTP:CF-IPCountry} ^$
RewriteRule ^ - [F,L]

Just make sure IP GeoLocation is enabled in the Network tab of the Cloudflare dashboard.

Are you looking at the headers Cloudflare sent to your server, or the headers your browser shows that you received from Cloudflare when accessing your site.

Also keep in mind that anyone who was curious could add Cloudflare to their request header too. To properly secure your origin, you must also enable Argo Tunnel or limit connections to your origin to allow only Cloudflare IPs and verify the JWT.

Yes, I’m reading the headers from what the Web Console of the browser shows. It shows a server: “cloudflare” so I thought I could work with that. sdayman’s solution looks viable, but I just found this nice write up as well. Stop Cloudflare bypassing on shared hosting

Just tested sdayman’s solution. Works great. I even verified with my a direct connection using my Windows hosts file. Now, how would I omit a CIDR for my wordpress cron?

Didnt we just have that yesterday :wink: -> Block direct IP address

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.