Deny All IPs Except Cloudflare to my Origin Server


I am looking to deny all IPs on my origin but to only allow Cloudflare IPs in order to protect my public IPs hidden behind Cloudflare. Is it a good practice? or is there any other way to do that? I have found a list of Cloudflare IP ranges but this might change anytime. What would be the best way to disallow hackers from attempting to reach my origin servers public IPs directly. I have enabled “Authenticated Origin Pulls” is this enough? would it do the job?

I would appreciate any recommendation.

Yes. Ideally deployed on a firewall or via IPtables.

You should use customer provided certificates for AOP for the best protection.

By using a Cloudflare Tunnel. Doing this essentially means that your webserver does not listen on a public facing address, so there is no way for an attacker to get to the Origin.

Detailed information on protecting your Origin is available here:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.