I noticed that some users/spammers on my website are using Cloudflare IPs to spam comments and circumvent some of my security algorithms.
Is that normal? Can I block these IPs without blocking Cloudflare system? How do they use it?
I use nginx and I correctly set the “real IP” headers so I don’t think it comes from there.
A lot of legitimate users use WARP. If the IP ranges happen to overlap with Cloudflare’s share of iCloud Private Relay traffic (which is similar to WARP and partly handled by Cloudflare), that would be even worse, as a lot of iOS and Mac users will be there.
In general you need to allow access to your origin server from these IP ranges. If your problem is that these users are connecting through your normal Cloudflare proxy like anyone else, I would recommend looking for a different solution, as what you have in mind will cause a lot of collateral damage.