NGINX: forward real ip AND only allow cloudflare

Hey CF,

Here’s a issue ive been playing with the last couple of hours:

I am using nginx’s real_ip system to forward the actual user ip so they log correctly in the nginx logs. this works fine.

Now i want to add the rules as to only allow access through cloudflare and block everything else. I was able to use nginx allow/deny rules to do this and this works correctly with realip off.

The issue is: if realip is on then it uses the actual user ip and not cloudflare’s which makes it so the blocklist does not work anymore.

Is it possble to use the proxy ip for the blocklist and then forward the actual user ip for logging and the application?

If you are restoring the visitor IP to nginx, then you will not be able to install “block” rules based on the proxy IP - because it will have already been removed.

What you need to do here, is add the block for all non-Cloudflare IPs to your server’s network firewall. Contact your hosting provider and they should be able to confirm if this is possible on your specific server.


I am sadly not able to do this as hetzner only lets you add 10 FW rules where cloudflare has more ranges than that. IPtables is an option but i’d prefer to allow other sites on the same ip to not use cloudflare.

My cheater method (in Apache) might work similarly in NGINX:

I will try that if there’s no good fix for this. It’s still bypassable but not super easy to guess.

1 Like

Ah…I forgot about this:

1 Like

Yup Authenticated Origin Pull allows you to restrict to Cloudflare only connections to origin at the web server level. See my comments at Allow Connections from cloudflare IPs only :slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.