Htaccess Rules to Block Non CF Requests

Can anybody provide .htaccess rules to block all incoming request not from Cloudflare ips?

Just for the sake of good order, Deny is a deprecated directive. Require should be used instead.

Is this correct?

<IfModule mod_authz_core.c>
Require method GET POST HEAD

Require all denied
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 104.16.0.0/12
Require ip 108.162.192.0/18
Require ip 131.0.72.0/22
Require ip 141.101.64.0/18
Require ip 162.158.0.0/15
Require ip 172.64.0.0/13
Require ip 173.245.48.0/20
Require ip 188.114.96.0/20
Require ip 190.93.240.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 2400:cb00::/32
Require ip 2405:b500::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2c0f:f248::/32
Require ip 2a06:98c0::/29
</IfModule>

I would be tempted to say yes, generally it looks okay, but I havent tried it. If possible I’d actually rather do that on a system firewall level than on HTTP level.

Have you tried if you can access your site from outside these IP ranges? If e.g. you cannot access it directly but only via Cloudflare it would appear as if it worked.

How to test site access from outside CF IP ranges?

From your own workstation going straight for your server, bypassing the Cloudflare proxy.

The hosts file for example could help you in this case.

Not working.

How to block requests not containing http headers CF-RAY and CF_CONNECTING_IP using .htaccess?

Better way would be to block all non Cloudflare traffic on your hosts firewall.

This topic was automatically closed after 30 days. New replies are no longer allowed.