Prevent Users Bypassing Cloudflare To Access My Site

How can I prevent malicious users, hackers, from bypassing Cloudflare to get to my site? I’m assuming a hacker is smarter than me and can do this.

Clurrently I plan to point to my loadbalancer hosted in AWS which has a public DNS entry Can a malicious user find out my AWS endpoint and bypass Cloudflare to attack my website. If so how can I prevent this?

You can simply use the :orange: cloud mode.

Note that Cloudflare is not intended to hide the IP address of your origin server.

What you can do is to allowlist traffic coming from Cloudflare’s IP address and reject others IP at the AWS Management Console. That way, only visitors coming from Cloudflare can access your origin server. Rate limiting would also help to protect your endpoint.

No as long as you don’t reveal it to public. That’s why a website which migrates to Cloudflare due to previous attacks should change the server IP.
For average websites just updating softwares ASAP is the best practice to remain secure.


It is a good practice to block all other IPs except CF ones. Using this tool someone can find your IP even behind CF by Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target’s domain name.


Thanks for sharing this information. There really ought to be a doc on Cloudflare about setting up bypass prevention. It seems like they’re only recommending whitelisting their IPs but not mentioning anything about blocking all others. I have another server that uses Sucuri’s WAF and ended up following their guide on bypass prevention but inserting the Cloudflare IP’s instead. :rofl: