Can anybody provide .htaccess rules to block all incoming request not from Cloudflare ips?
Just for the sake of good order,
Deny is a deprecated directive.
Require should be used instead.
Is this correct?
Require method GET POST HEAD
Require all denied
Require ip 220.127.116.11/22
Require ip 18.104.22.168/22
Require ip 22.214.171.124/22
Require ip 126.96.36.199/12
Require ip 188.8.131.52/18
Require ip 184.108.40.206/22
Require ip 220.127.116.11/18
Require ip 18.104.22.168/15
Require ip 22.214.171.124/13
Require ip 126.96.36.199/20
Require ip 188.8.131.52/20
Require ip 184.108.40.206/20
Require ip 220.127.116.11/22
Require ip 18.104.22.168/17
Require ip 2400:cb00::/32
Require ip 2405:b500::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2c0f:f248::/32
Require ip 2a06:98c0::/29
I would be tempted to say yes, generally it looks okay, but I havent tried it. If possible I’d actually rather do that on a system firewall level than on HTTP level.
Have you tried if you can access your site from outside these IP ranges? If e.g. you cannot access it directly but only via Cloudflare it would appear as if it worked.
How to test site access from outside CF IP ranges?
From your own workstation going straight for your server, bypassing the Cloudflare proxy.
The hosts file for example could help you in this case.
How to block requests not containing http headers CF-RAY and CF_CONNECTING_IP using .htaccess?
Better way would be to block all non Cloudflare traffic on your hosts firewall.
This topic was automatically closed after 30 days. New replies are no longer allowed.