This change applies to those that had added per IP filtering on origins or on firewalls. It’s extremely likely that, as I said above, since you don’t know how this applies it will not interest you.
This change would need to be done on your origins, not on the Cloudflare account.
Could someone help me to understand this part “This change delists the 104.28.0.0/14 prefix, which is no longer in use” but I don’t see 104.28 in the “Remove:” section just above that sentence so am I right to say that it should have been: “This change delists the 104.16.0.0/12 prefix, which is no longer in use”
That is how CIDRs work.
You are removing the 104.16.0.0/12 range (which goes from 104.16.0.0 to 104.32.255.255), which includes 104.28.0.0/14, but then re-adding all the other smaller ranges (104.16.0.0/13 which covers up to 104.23.255.255, and 104.24.0.0/14 which covers up to 104.27.255.255), excluding that de-listed range.
Today I got this email from cloudflare:
[Action May Be Required] Changes to Cloudflare Infrastructure IPs Listed on cloudflare.com/ips
Remove:
104.16.0.0/…
Add:
104.16.0.0/…
104.24.0.0/…
My question is, Do I need to change this manually from my site/cpanel/Cloudflare dashboard.
I yes, Please tell me how to do that?
Thanks.
No. If you haven’t done this before, you don’t need to do anything now.
You’re probably seeing a cached version. Cloudflare…uh…may have set a long TTL on the ips-v4 text file.
NOTE: I sorted the above lists so they could be more easily compared. The ips-v4 file at Cloudflare is not sorted, but the /ips/ page has them sorted.
Thank you for your help.
Thank you so much.
Email stated that, " [Action May Be Required] Changes to Cloudflare Infrastructure IPs Listed on cloudflare.com/ips"
So, I thought I need to do something.
But, I can’t find the IPS log from my dashboard. How to check it?
(I use free cloudflare)
My web developer set up my Cloudfare acct up for me. I have NO IDEA how Im set up, or if this applies to me. How can I tell if my security model relies on these lists of IPs?
I don’t know why you are asking me. You should be asking the web developer that set it up.
It most likely does not. Not to worry. If you leave it alone, nothing will break. But when you have a chance, ask your web developer if they used the list. They’ll probably say no.
This change doesn’t affect the vast majority of Cloudflare users. If you don’t know what this list is, it doesn’t affect you.
I have a very custom setup and use this list as a whitelist of IP addresses I will allow my webservers to talk to. This is a completely optional thing and is probably overkill. Normal cpanel, plesk, directadmin, etc type hosting servers don’t use any lists like this. So this whole thing can be ignored by most people.
@cloonan Is there an ETA on the CloudFlare API IP endpoint returning the new IPs as well? That needs to be updated for the new list to be available in tools like the CloudFlare Terraform Provider.
I’m a bit surprised there isn’t a single source of truth for this.
I believe there is, it’s just that the caching on the edge of that page is keeping it stale.
This indeed appears to be correct (max-age is 1 year). If you fetch the IP list with a query string, you’ll see the revised ranges, e.g.:
Without:
> curl https://www.cloudflare.com/ips-v4
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22
With:
> curl https://www.cloudflare.com/ips-v4?$(date +%s)
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
172.64.0.0/13
131.0.72.0/22
104.16.0.0/13
104.24.0.0/14
With a query string, the old 104.16.0.0/12 range is gone and the new 104.16.0.0/13 and 104.24.0.0/14 ranges appear. This could be a useful way to update tools to get fresh content despite those caching headers.
The cache theory only explains the delay in the update here https://www.cloudflare.com/ips-v4
It doesn’t explain the delay in the update here: https://api.cloudflare.com/client/v4/ips which is why I’m saying there doesn’t appear to be a single source of truth. The API endpoint does not appear to be cached:
curl -i https://api.cloudflare.com/client/v4/ips
HTTP/2 200
date: Fri, 09 Apr 2021 16:13:55 GMT
content-type: application/json
set-cookie: __cfduid=dae902c223bef87219ca17f5878394fa31617984835; expires=Sun, 09-May-21 16:13:55 GMT; path=/; domain=.api.cloudflare.com; HttpOnly; SameSite=Lax; Secure
cf-ray: 63d50687184e5df6-BNA
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
etag: W/"fb21705459fea38d23b210ee7d67b753"
expires: Sun, 25 Jan 1981 05:00:00 GMT
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
cf-request-id: 095902686f00005df6bf1da000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
pragma: no-cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
set-cookie: __cflb=0H28vgHxwvgAQtjUGU4vq74ZFe3sNVUZcsNPLKto2Wq; SameSite=Lax; path=/; expires=Fri, 09-Apr-21 18:43:56 GMT; HttpOnly
set-cookie: __cfruid=0da42b6cf7d6909609e41893a0bce63708a3eaba-1617984835; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
server: cloudflare
{"result":{"ipv4_cidrs":["173.245.48.0\/20","103.21.244.0\/22","103.22.200.0\/22","103.31.4.0\/22","141.101.64.0\/18","108.162.192.0\/18","190.93.240.0\/20","188.114.96.0\/20","197.234.240.0\/22","198.41.128.0\/17","162.158.0.0\/15","104.16.0.0\/12","172.64.0.0\/13","131.0.72.0\/22"],"ipv6_cidrs":["2400:cb00::\/32","2606:4700::\/32","2803:f800::\/32","2405:b500::\/32","2405:8100::\/32","2a06:98c0::\/29","2c0f:f248::\/32"],"etag":"fb21705459fea38d23b210ee7d67b753"},"success":true,"errors":[],"messages":[]}
Thanks a lot.
It seems to be updated on the text list and API as well.
Just a suggestion but I think it would be much easier if the ranges listed in the text file were ordered like they are in the list on the page, I mean it’s not hard to sort them manually but it would make it easier to copy and paste 