Hi Cloudflare Team, We have migrated our domain and all DNS records from GoDaddy to Cloudflare and purchased the Pro plan for WAF. Our clients are primarily banks, and they have allowlisted our server IPs to access the URL, as only allowlisted IPs are allowed within the bank network. There is no blocking configured from our end. The issue is that when we enable Cloudflare WAF (Proxied) for the subdomain , the URL stops working. However, it works fine when we disable the Proxied option. I understand that Cloudflare WAF does not function without being proxied. To resolve this, I have: Allowlisted the client IPs in the IP WAF Rule and allowed the client IP for all websites. Created a new firewall custom rule with the following configuration: Field: IP Source Address Operator: is in Value: Client IP Action Taken: Skip Enabled log matching request (WAF Component to skip) and ticked all rate-limiting rules. Despite these configurations, the issue persists. It appears that the problem is related to the Cloudflare Proxied IP, as traffic is getting stuck and not connecting to our server IP. Please suggest how we can implement WAF with Cloudflare while allowing our clients to connect seamlessly.
Is this being blocked about Cloudflare? Or by your application? Cloudflare is a proxy, so you will want to ensure your origin is correctly determining the origin IP for these requests:
I have enabled the proxy for WAF protection, but the issue is that clients are unable to access our website because they have allowlisted our server IP. Now, when they hit our website, the Cloudflare proxy IP appears instead of our server IP, preventing access.
I have allowed the client IP in the WAF firewall rule, but the clients still cannot access the website because the Cloudflare IP continues to show. Please assist with resolving this issue.
As explained earlier, Our application ewsuat.amukha.com server IP is 185.100.212.51, and the client has allowlisted this IP. However, when we enable the Cloudflare proxy, the IP changes to a Cloudflare IP, causing the client to be unable to connect to ewsuat.amukha.com. I have already allowed the client’s IP (103.231.42.94) in Cloudflare WAF, but the issue persists.
Please suggest if there is any other option to allow 103.231.42.94 client IP without bypassing of WAF protection.
That is for requests from your server to the client, those will come from that IP address and is not affected by proxying your DNS record in Cloudflare.
This IP is for requests to your hostname, and is necessary so the Cloudflare proxy can work, see…
Assuming you are connecting to your client from your server, and they are checking the IP address of that connection is 185.100.212.51, then this has nothing to do with the Cloudflare proxy IP address and will work fine. If your client is instead checking the IP address of ewsuat.amukha.com (which would be odd, but anyway), then you will need to disable the proxy to return your IP address, but then you can’t use the WAF or any other Cloudflare features.
Yes when a record is proxied the Cloudflare IP address will change. So if an end client I needs to allowlist your IP address they will need to allowlist the Cloudflare IP address. That is how proxies work.
Your other options are to get an enterprise plan and BYOIP address space if you own it. And if your clients need to allow lost traffic to certain IPs Cloudflare can change the IPs advertised for your host unless you pay for a static IP address which is also an Enterprise plan option.