How do I prevent user using Cloudflare IP address to access my website?

Hello Cloudflare Community,

I have a running wordpress website, which only serve a particular country and I have blocked all country except 1 country. However, I’m still receiving spams access to my website. The bot is using cloudflare IP Address instead of my domain name, hence my domain WAF keep on blocking from the Bot.

I tried banning the IP from spamming me, seems that it change its IP address from china to netherlands and still able to spam access.

Any idea or suggestions to able to resolve this issue?

Thanks

That is not possible. All requests through Cloudflare have to use a proper hostname.

What is the domain and did you make absolutely sure requests cannot go around Cloudflare and directly to your server?

Oops Look likes I have some mistake in my side.

I should rephrase my question again.

I have hide my server IP address via Cloudflare, Somehow someone able to find out my actual IP address and keep on spamming on my server. The Bot kept on access my server instead of domain name like
111.111.111.111/asdasd
111.111.111.111/php_myadmin
111.111.111.111/5555

and etc.

All the firewall/page I made seems not working towards such issue.

Any Suggestion regarding on this?

You need to configure your server on a network firewall level to only accept connections from the Cloudflare IP addresses listed at cloudflare.com/ips

Hi Sandro,

What I need to do using UFW is to deny all connections, and only accept these IP address list?

Presumably yes.

Alright, let me give it a try. Sound like a feasible solution.

Thanks for the advice!

Ok I have tried using this method,

UFW deny all 80/tcp
UFW deny all 443/tcp

ufw allow (cloudflare ip address) for both 80 and 443

and my website unable to access. Any idea what’s the right way to implement this rule?

You best take this to StackExchange and alike. Firewall configuration is a bit beyond the scope of the forum.

OK the right way is to deny incoming by default and just allow cloudflare ip address.

the ufw deny all is a wrong rule in this situtation,

Now visitors unable to access my website with ip address and weird url,

Thanks for the help!

Use the following for this.

This topic was automatically closed after 30 days. New replies are no longer allowed.