Http://www.cloudflare.com/ips-v4 redirects to HTTPS

The http://www.cloudflare.com/ips-v4 endpoint now redirects to httpS://www.cloudflare.com/ips-v4 and this broke my script that fetched this file with wget that doesn’t have TLS enabled.

I using CF as a proxy to web site hosted on a very limited router with OpenWrt.
Since the router have only 4mb of storage I don’t installed https/tls libraries. The HTTPS termination is done on CF side but then it just proxied to router via plain HTTP.
I blocked all requests to 80 port except of CF ip addresses. The list of IPs is fetched by wget and then added to iptables. Everything worked but about two months ago wget started to fail on downloading because CF switched the endpoint to HTTPS.
Is this a temporary problem or we should use https now forever?

The file was always available by https but also we was able to download it by raw http. Users might chose which protocol to use. The change is already broke my website so at least for me this is a problem. But I agree that my case is exceptional in the same time maybe some other users are affected. For example some old web server has outdated CA and can’t establish TLS connection.
TLS is still often a problem especially for embedded devices. For example BusyBox wget doesn’t makes certificate check.

I don’t need an HTTPS for CF-router connection because the site has nothing except of some static content. It even doesn’t store any cookies. If my provider wants to eavesdrop content this is not a big deal in my case.

You definitely not understood what I’m talking about. The problem is not with my website the problem is that the IP list on CF switched to https.
And this is a breaking change

TLS support is default for wget for ages and you should really think about upgrading your operating system.

Try

wget -no-check-certificate https://.....

This might help.

Use man wget for more command line options.
I case I missed it: upgrade your OS :wink:

From my point of view http should be disabled everywhere.

1 Like

Yeah. I think I was misled by

Thought this was the case here.

1 Like

You could try a CF worker that proxies the https://www.cloudflare.com/ips-v4 url and then wget query the CF worker route over non-https connection

1 Like

Thank you for your responses. As I said, this is a problem for limited devices with only 4mb of memory. It uses OpenWrt wget (ucient-fetch) which is just a simulator of GNU wget. Other devices may use BusyBox wget which also another replacement.
If anyone interested here is my script that downloaded the IP list:

I’ll just keep the IP list block disabled and I’ll allow to anyone from internet to access my 80 port.

1 Like