CloudFlare + DigitalOcean IP-based firewall restrictions

This may sound crazy. But I imagined a way where DO’s firewall platform could work hand-in-hand with CF. Where you can restrict connections to only Cloudflare (except port 22 if you wanted) to only CF’s servers. Not a proxy, but just restricting access even further so that you can’t even access port 80 through IP.

It’s only an idea, I know there are potential flaws such as CDN’s, routing the proxied connections throughout multiple data centers (thus potentially having to rule 100s of IPs), and so many more factors. But I wanted to see if the scenario itself could be further written into.

You can already do this. Add in the digital ocean firewall settings the list of Cloudflare IP ranges from IP Ranges


You can already do this :thinking:

You can get all Cloudflare IP addresses here and block all incoming traffic except this addresses from DO firewall.

Obviously you have to change with your static IP to access SSH and you can add same IPs to HTTP as well next to HTTPS.

Warning: If some other Cloudflare customer pointed their domain to your server IP on DO, they will have access to your 80/443 ports as well! To avoid this, you have to block request from strange host headers from your http server or script.

Yea, I figured those. Would there ever been an instance where one of the IP’s would change? It’s been a long while since that happened, but still.

What I was actually thinking where it would automatically configure itself. I’m not sure if the firewall let’s you inherit rules to other servers. But I might check with that on DO’s side.

If you are willing to enable Argo on your domain, you can always use Argo Tunnel and block all incoming requests. In this case you don’t have to worry about IP changes or strict SSL on your server since all traffic is encrypted.

I plan on it, thanks, b.

What script are talking about,

Hey can you tell me exactly how can I do that. Any guide or reference. Please

A properly configured server won’t respond to requests for invalid hostnames. For more info, serverfault or stackoverflow are the appropriate places to ask.