Blocking bypass of Cloudflare

Can I block IPS which are bypassing or using direct server IP to access my website ?
I am on shared plan so I can make changes to .htaccess file, Can any one help me to block traffic who are bypassing Cloudflare and accessing my website directly.

You can do that; however, your server still has to accept the connection, check the rules, and drop the connection. It’s a relatively ““lightweight”” process compared to allowing the request, but it’s a patch that can be overwhelmed with enough attack power.
Depending on the attack volume you are receiving, .htaccess is a good solution or not. I suggest trying and seeing if that’s enough to stop the attacks you are receiving.

How to block visitors bypassing Cloudflare ?

I’m afraid that if they are bypassing Cloudflare, you will have to reach out to your host and ask them to drop these connections for you. These are the ips they have to allow list: https://www.cloudflare.com/ips/

There are various ways to protect your Origin.

You can enable Authenticated Origin Pull (using customer certificates is preferred)

You can also use htaccess to allow/deny based on the published Cloudflare IP ranges, but that is less reliable than Authenticated Origin Pull.

1 Like

I tried htaccess to limit to only Cloudflare ips but it is giving forbidden error.
I am using Cloudflare generated certificate.

I think one cannot use AOP in the context of shared hosting

Instead, you can use Transform Rules to create a request header with a secret value, and add a few directives to your .htaccess to block requests not presenting that header/value.

A request header added by Transform Rules will only be visible to the origin, not to the visitor. This should not of course be considered a protection against DDoS, as @jnperamo pointed out. But will prevent other unwanted visitors from getting to your site (those probing for vulnerabilities, author enumeration etc.)

In my blog I’ve posted a more detailed explanation, including the .htaccess directives needed:
https://obapress.com/how-to-prevent-cloudflare-bypass-on-shared-hosting/

1 Like

I have gone towards your link and find this one :

> # Uncomment and edit w/ IP of origin to allow services such as certs, cron, Softaculous etc
>    # RewriteCond "%{REMOTE_HOST}" "!^xxx\.xxx\.xxx\.xxx$"

My Server IP : 123.456.789

So what should I place in this line :slight_smile:
RewriteCond “%{REMOTE_HOST}” “!^xxx.xxx.xxx.xxx$”

Just replace each block in the IP with the numbers from your server’s IP

RewriteCond "%{REMOTE_HOST}" "!^123\.456\.789\.012$"

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.