Configuring CSF on a WHM/cPanel Server to Only Allow Traffic from Cloudflare

Hello Cloudflare Community,

I am in need of advice on configuring my firewall (CSF - ConfigServer Firewall) on a WHM/cPanel server to ensure that it only permits traffic coming through Cloudflare. My objective is to block any direct attempts to access my server, thereby only allowing requests that are routed through Cloudflare.

I have already taken the step to add Cloudflare’s IP ranges to my CSF allow list (csf.allow). Despite this, I am unsure of the proper way to configure CSF to block all other access efficiently, ensuring that legitimate traffic coming through Cloudflare is not impacted.

In addition, I came across the CF_ENABLE option within CSF, which seems to facilitate direct integration with Cloudflare. However, I am unclear on the best practices for leveraging this feature in my specific use case.

Given that I am utilizing WHM/cPanel, I am particularly interested in:

  1. Detailed instructions for setting up CSF to exclusively allow Cloudflare IPs.
  2. Strategies for ensuring this setup blocks all direct access while not interfering with Cloudflare-filtered traffic.
  3. Recommendations on whether to employ the CF_ENABLE option in CSF for a WHM/cPanel environment, and insights on its effective deployment.

Your expertise and any suggestions you could provide would be immensely appreciated.

Thank you very much for your time and help!

What I’ve Tried:

I have also attempted to install UFW in addition to CSF because I found UFW to be easily configurable with a rule updater for managing the allow lists, particularly for Cloudflare IPs. However, I am uncertain whether running two firewalls concurrently is advisable or if it could lead to potential conflicts.

I’ve searched extensively online for guidance on this matter but haven’t found a definitive answer.

Hi @guytirewildtir

I would recommend that you add this to your .htaccess file

# Cloudflare Only access
Order Deny, Allow
Deny from all
Allow from 103.21.244.0/22
Allow from 103.22.200.0/22
Allow from 103.31.4.0/22
Allow from 104.16.0.0/13
Allow from 104.24.0.0/14
Allow from 108.162.192.0/18
Allow from 131.0.72.0/22
Allow from 141.101.64.0/18
Allow from 162.158.0.0/15
Allow from 172.64.0.0/13
Allow from 173.245.48.0/20
Allow from 188.114.96.0/20
Allow from 190.93.240.0/20
Allow from 197.234.240.0/22
Allow from 198.41.128.0/17
Allow from 2400:cb00::/32
Allow from 2606:4700::/32
Allow from 2803:f800::/32
Allow from 2405:b500::/32
Allow from 2405:8100::/32
Allow from 2a06:98c0::/29
Allow from 2c0f:f248::/32

And then only rely on the firewall offered by Cloudflare, so that you do all your security configuration in your Cloudflare account.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.