I would like to set up my origin to allow access only from Cloudflare
What steps have you taken to resolve the issue?
I had previously been having issues with redirects and SSL 525, so I started over and the 525 has gone away. My site does appear to be proxied through Cloudflare, but I don’t understand the following.
https://cf.sjr.dev/tools/check?5322be1b890d49f994c91024673b58e8 shows that the connections to the site fail from a Cloudflare worker. I put specific rules using from Cloudflare’s IP list in .htaccess for testing purposes, but that broke all site access with a 403.
I would like to understand how to ensure all traffic goes through Cloudflare. I’m new to Cloudflare and feel like I might be missing some concepts. I have read the appropriate tutorials and expert guidance, but I’m a bit stuck.
Was the site working with SSL prior to adding it to Cloudflare?
Or you can use Cloudflared tunnel, no need to open ports to the public Internet:
Make sure to configure your Web server to listen on both port 80 and 443 or some other compatible and supported with Cloudflare proxy as follows on the list from article below:
Nevertheless, please double-check your SSL certificate at the origin host and adjust the SSL/TLS option at Cloudflare dashboard accordingly.
Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
The link is in the lower right corner of that page.
Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
Check with your hosting provider / Plesk panel / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and manually click to renew it
Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s set to Full (Strict).
You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered.
Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?
Following the instructions from the 1st article to lock your Web server to only allow Cloudflare IPs to connect and using Full (Strict) as first things first including proxying your DNS records.
I have followed the documentation at Cloudflare IP addresses · Cloudflare Fundamentals docs and added the IP addresses to .htaccess like: Require ip 173.245.48.0/20 (for all ranges). Cloudflare tunnel may be an option in the future, but right now I need to stick to the basics.
I paused Cloudflare and was able to connect successfully via HTTPS. I reenabled Cloudflare and am able to connect to the site via my browser. The test at https://cf.sjr.dev/tools/check?6776837cb2764e9eb4d334e04599e047 still shows that access from a Cloudflare worker does not work properly. What is interesting is that I don’t see any events in the security events section.
I did see some Browser Integrity Check errors over the last 24 hours, but they appear unrelated. I tested disabling Browser Integrity Check and it did not make a difference.
I also tested Full vs. Full (Strict) and this did not make any difference.
To summarize, the proxying seems to be working with end-to-end SSL. What I am particularly interested in however is forcing all traffic to go through Cloudflare. I suppose it is a reasonable assumption that the general public will always access via Cloudflare, but it would be ideal to have the origin not accessible to anything but Cloudflare.
as follows on the list from article below: