Limit requests to my AWS EC2 instance to CloudFlare only IPs

I have a question related to configuring a AWS EC2 instance so that it only accepts requests from CloudFlare IPs.

I’m currently using Cloudflare DNS in Proxied mode to resolve a request to to the public IP address of the AWS EC2 instance. In server logs I see a client’s IP (i.e. the IP of the machine from which the browser makes the request) and not CloudFlare’s IP. This means I’m not able to differentiate between requests that are reaching my server via CloudFlare vs those that come as direct IP access.

I don’t understand exactly if CloudFlare also delivers information on proxy IP to the EC2 instance via some header or only delivers the IP of the client. Is there some way that allows me to have access to both on the EC2?

If that’s not possible, how do I ensure that all access to my AWS EC2 instance is forced to go through Cloudflare and direct IP access is not possible?

Thanks :slight_smile:

If these requests really came via Cloudflare, that would suggest something is already rewriting the address on a web server level.

Cloudflare does not deliver any such information as the address of the client will already be the proxy address, that’s standard TCP handling.

Precisely, the address of the original client is part of the header, whereas the proxy address is the standard client address.

You’ll need to make sure, on a network level, that you only accept connections from Cloudflare’s addresses. As for the how, I am afraid I’d have to refer you to an Amazon specific forum as that would be beyond the scope of the forum here.

Thanks for your reply.

So would it be correct to say that the behaviour of Cloudflare in Proxied DNS mode is that of a standard reverse proxy? I’m trying to read up more info on the details of how it operates. Also, is it correct to assume this is Layer 7 behaviour?


The proxies simply establish a connection to your server, “replay” the request, and add the original client address as header.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.