Router port forwarding only for cloudflare incoming requests

I am currently setting up a server using cloudflare to proxy requests.
Everything works as intended however I am worried because one might scan ip ranges and access my server without going through my domain name that uses cloudflare.

Currently on my router I am forwarding port 80 and 443 for every source to my server. I think I have 2 solutions :

  • Forward only for specific ip source (cloudflare IP)
  • Accept only connections on the nginx server for the cloudflare IP

The first solution might be better, but I’m wondering in both cases how to get the cloudflare IPs. Do I have to take the ip I get when checking the A records?

You need to allow these… (you can choose just IPv4 if you just have A records, or just IPv6 if just AAAA records, but you need to allow all of them within the chosen protocol).


You could also use a Cloudflare tunnel. That way, you would not need to open any ports.


I read about these but I’m afraid this adds complexity, is there any downsides?

They aren’t quite as easy to set up for some people, and there’s overhead due to running the tunnel that lowers bandwidth, as well as adding a bit more load. Minor things that will only really worry you if they site is busy or bandwidth/CPU contrained.

Forgot to say, unless you have a need to deliver content over HTTP on port 80, you don’t need to forward that on your router. Redirection to HTTPS can be done on Cloudflare by switching on “Always use HTTPS” keeping the origin configuration more simple.

1 Like

If you use Let’s Encrypt on your server with an HTTP-01 ACME challenge, you need port 80. Options to avoid that include using a DNS-01 challenge or a Cloudflare Origin CA certificate.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.