List of Cloudflare IP addresses so that I can exclude it from my website

Hi all. Hope you’re doing well.

I have this web app which takes in a visiting user’s IP address and let him do tasks. But after installing CF to my website, I am only getting CF’s IP and not my user’s. Now if CF’s IP was static, then I could just exclude it in my backend but apparently it is not and keeps changing. So I need a list of all the IP addresses which belongs to CF so that I can exclude all of it in the backend and use my user’s one instead.

I have found a list in this link but I need a list of each of the IPs in that list. But there’s a ‘/22’ at the end which is confusing me. If you look at the first IP address in that link, you will see this one ‘’. Does it mean CF has IP addresses from ‘’ to ‘’ ?? I looked online for that ‘/22’, but it went over my head. Too damn confusing.

If someone could provide me a list of the IPv4 address. It would be a big help.

Thanks and best regards.

That’s a CIDR notation

You primarily need to rewrite the IP address though → Restoring original visitor IPs – Cloudflare Help Center

In that context the list of Cloudflare addresses is rather secondary and more related to which connections you accept, respectively when to rewrite addresses.


Hi. Thanks so much for your reply.

Based on the link (to restore original visitor IP) you provided, I’m not sure I understand it fully. My website is NodeJS-Express app which is deployed to cPanel’s shared hosting and I don’t have access to modify the server.

The reason I needed all the IP addresses is so that I can put them in a file in my app. And with every request to the server, my app will just compare all the IP addresses in the file with all the IP addresses in the request header. Then only take the one which doesn’t match (assuming that it is the user’s IP) and use it for the user’s tasks.

But I am just unable to do that because the IP addresses I want to put in a file has to be actual IP address and not with slashes (which are CIDR notations as you mentioned).

Any suggestions?

Thanks and best regards.

Are you tunnelling requests straight to your NodeJS code or is there an Apache in front?

By apache do you mean Nginx or something? Then no. It’s just a simple Nodejs app with Express as its framework. It’s on cPanel shared hosting and whatever cPanel’s Nodejs is running on. Sorry I don’t have that much knowledge in this.

So the Cloudflare proxies connect directly to your NodeJS application?

In that case you will have to rewrite the IP addresses manually in your code.

  1. Check the the request actually came from Cloudflare by matching the IP address of the request against the list you already found.
  2. Then, if it really came from Cloudflare, overwrite the IP address in your subsequent logic with the value from the HTTP header CF-Connecting-IP provided by Cloudflare.
1 Like

I think so. Yes.

Yes this is what I want to do. But suppose if a request came with CF’s IP address (which is in the list) then the next request CF IP would have different last digits. For example: ( which is not in the list). That’s why I wanted all the available CF IP addresses.

Yes. This is what I did before. But it isn’t working anymore. Here’s the code:

const clientIP = req.header('x-forwarded-for').split(',')[1] || req.header('cf-connecting-ip');

And yes, the requests always come through CF.

Yes, requests can come from all these addresses and they are in the list you already found. You should also check out the link I already posted of course :wink:

I am afraid, development related questions would be beyond the scope of the forum, StackOverflow will be better here. But I’d only use CF-Connecting-IP and only if the request came from Cloudflare as explained earlier.

They are. It matches the first 3 blocks of digits. The last block of digits doesn’t match with the request header.

But I’ll give it another try. And I’ll update here later on.

Thanks for your time mate.

Forget about the blocks. They are just a grouping and are not really of any relevance in this context. CIDR will explain everything.

Okay. I’ll give it second read then. Thanks

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.