Block traffic that doesn't come through cloudflare at AWS load balancer

i have enabled the IP to pass through Cloudflare in order to audit and track users.
so i cannot get the whitelist IP address option to work (or so i believe)

is there a header in Cloudflare that i can filter for in my ALB or NACL??

Cloudflare requests will always come from a defined range of IP addresses (documented here), and you can add those ranges to a security group on your AWS load balancer. This does not change the X-forwarded-For, CF-Connecting-IP or True-Client-IP headers you are already using to audit and track users.

You should also configure your Origin to ignore requests that do not match your host header (because somebody else could create a Cloudflare property and make requests to your load balancer)

Finally, you could configure Authenticated Origin Pulls.

There is no special header that cannot be spoofed by a random attacker.

when i added the IP range from Cloudflare to my security group

Type Protocol Port Range Source Description
HTTPS TCP 443 173.245.48.0/20
HTTPS TCP 443 103.21.244.0/22
HTTPS TCP 443 103.22.200.0/22
HTTPS TCP 443 103.31.4.0/22
HTTPS TCP 443 141.101.64.0/18
HTTPS TCP 443 108.162.192.0/18
HTTPS TCP 443 190.93.240.0/20
HTTPS TCP 443 188.114.96.0/20
HTTPS TCP 443 197.234.240.0/22
HTTPS TCP 443 198.41.128.0/17
HTTPS TCP 443 162.158.0.0/15
HTTPS TCP 443 104.16.0.0/12
HTTPS TCP 443 172.64.0.0/13
HTTPS TCP 443 131.0.72.0/22

all of my requests timed out

however when appended my desktop IP address to this list
it worked

so something in my Cloudflare configuration is passing through my ip address
i have ‘flatten cname at root’ configured
i cannot do auth origin pull because i have not seen any docs for doing this on IIS

True-Client-IP Header is on

You can create a request header (edge > origin, invisible to visitors) using Cloudflare Workers:

Though the suggestion above is meant to help folks on shared hosting, I believe you could also use a secret header to block requests at the origin firewall level if you have access to configuring it.

This topic was automatically closed after 30 days. New replies are no longer allowed.