Whitelist Cloudflare IPs

Hi All,
I am trying to whitelist Cloudflare Ips in .htaccess. But it is not working. I tested by allowing only my own IP and it was working. So I figured that Cloudflare is passing the source IP , so origin server only knows that incoming IP is some IPs , not from Cloudflare.
How can we secure origin server by only whitelist cloudflare IPs only? So below .htaccess would not do anything.

Order deny,allow
Deny from all
Allow from 173.245.48.0/20
Allow from 103.21.244.0/22
Allow from 103.22.200.0/22
Allow from 103.31.4.0/22
Allow from 141.101.64.0/18
Allow from 108.162.192.0/18
Allow from 190.93.240.0/20
Allow from 188.114.96.0/20
Allow from 197.234.240.0/22
Allow from 198.41.128.0/17
Allow from 162.158.0.0/15
Allow from 172.64.0.0/13
Allow from 131.0.72.0/22
Allow from 104.16.0.0/13
Allow from 104.24.0.0/14

1 Like

Cloudflare passes along the original source IP in the X-Forwarded-For header (like most proxies) plus the CF-Connecting-IP header (as per the docs this is the preferred header).

Out of the box Apache does not look at any of these headers to determine the real source IP, so unless you have configured Apache to look at one of those headers the IP your web server will “see” is the Cloudflare IP address…assuming you have selected the “orange cloud” next to the DNS record…

All of the above assumes that the request is actually set to be proxied.

If you want to ensure the origin is only reachable via Cloudflare, have you looked into implementing an Argo Tunnel for this?

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps

It’s now free and it means you don’t have to expose your origin web server directly at all (ie it could listen on localhost).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.