Whitelisting end user IP addresses or Cloudflare IPs

Hi community,

I have a firewall which has geo-blocking enabled in my datacenter. The firewall currently has a rule to allow USA regions, but block all other locations such as Europe, Asia. I am looking to use Cloudflare to open up my resources globally as an added layer of security, and would like to check if my logic is correct on how the routing works.

My current plan is to modify the existing firewall rule on the device in the datacenter to ALLOW inbound from Cloudflare IP addresses, and DROP all other external. Specifically, I look to allow the IPs displayed on the public Cloudflare site here: IP Ranges | Cloudflare

I would then add my records in proxy mode on Cloudflare.

My assumption is that external users would be proxied over Cloudflare to the resources in the Datacenter and the datacenter would allow the traffix as it is coming over the proxied Cloudflare network. Is this correct? Or, would the traffic travel over Cloudflare but appear from a non Cloudflare IP wherever the end user is located?

I do not want to drop all restrictions in the Datacenter as I am worried that potential attackers could bypass Cloudflare and attack my resources directly over IP. By restricting traffic to be from Cloudflare only, that would be less likely. However, my plan will not work if the traffic origin appears as the end user IP.

Thank you.

1 Like

This is correct. The packets themselves come from Cloudflare IP addresses.

HTTP request headers include the visitor IP address. Only the NGINX/Apache/Litespeed/etc process pays attention to those.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.