I’ve just enabled Pro on my domain in order to use Spectrum for SSH. Works well so far, save one small detail. It requires that I open up port 22 to the world. Ick. Is the correct answer to whitelist the CF IPs found at IP Ranges? Is there an automated means to keep that list up to date automagically?
This is really why I asked about Spectrum → Argo yesterday. 
Found the API Cloudflare API Documentation, so that question is answered.
[edit] For the record, I’m drilling into this because my logs got hammered the past 24 hours with unauthorized SSH attempts. Which, really defeats the purpose of Spectrum if attackers can still go VFR direct to the IP
Now, I just need to know if that’s what expected when using Spectrum.
Those IP addresses haven’t changed for as long as I can remember, so I wouldn’t bother with the API unless something stops working.
Just a quick update on this. My gateway is an OpenWRT box, so I created a custom /etc/firewall.user script like so:
WHITELIST=$(sed 's/#.*//' /etc/firewall.d/cloudflare_ipv4.txt)
# do the DNAT
iptables -t nat -A zone_wan_prerouting -p tcp --dport 22 -j DNAT --to 10.16.5.10:22
iptables -I zone_wan_forward 2 -p tcp --dport 22 -j DROP
# do the whitelist
for IP in ${WHITELIST}; do
iptables -I zone_wan_forward 2 -p tcp -s $IP --dport 22 -d 10.16.5.10 -j zone_lan_dest_ACCEPT
done
where 10.16.5.10 is the git+ssh server.
Unfortunately, I’ve had to do it this way instead of pulling the list each time because I’ve had to remove three IP ranges from the list so far. Tons of scans getting through even though these IP ranges are all supposedly owned by CF. (?!)
The really crappy part is that one of the IP ranges I had to delete contained legit CF hosts as I can no longer SSH in via Spectrum.
I have a support ticket in to CF about this. Hopefully they’ll update their list of owned IP ranges.