Whitelisting IPs

Hello, I have been looking for a way to allowlist Cloudflare’s IPs. I have a bot trap on my site and several Cloudflare IPs have been trapped, for some reason they are not following my Robots.txt rules.

I can’t find a way of telling my server to NOT blocklist Cloudflare’s IPs, the only information I found so far tells me to check that Cloudflare’s IPs are not being blocked on my .htaccess file. Also, the IP ranges shown at IP Ranges seem to be outdated, as when I checked several of the trapped IPs on my server they were assigned to Cloudflare but didn’t appear on this page.

Thank you

do you have an example clouldflare ip address that isn’t listed in that official ip list page ?

Just searched AS13335 prefixes, apparently is one example which is not listed on the Cloudflare’s IP List.

Found another one, here’s a list of what I found:


This is very interesting - can staff please chime in and let us know if there are indeed new IP addreses in use?

Wherever I use Cloudflare in front of webenabled services I block all none Cloudflare addresses at the firewall and would hate to find this hardening is also now possibly stopping ‘legitimate’ Clouflare-proxied traffic.

Unfortunately I removed the IPs that I found on my .htaccess and didn’t copy them, but some of them were from Portugal.

Can someone tell me if there’s a way to whitelist Cloudflare’s IPs? I currently have setup my robots.txt with a Bot Trap like this:

User-agent: *
Disallow: /BotTrap.php

All IPs that accesses that file are automatically added to my deny list in .htaccess and for some reason Cloudflare is not following my robots.txt rule and it’s IPs are constantly getting blocked.

Today I got these ones trapped, which seemed to be from Cloudflare in Hong Kong:

Those two IPs are encapsulated in which is on the list at IP Ranges. The last IP in that range is actually

1 Like

Hello, it’s been 9 months already and I still can’t find a way to leave Cloudflare’s IPs out of my spambox. Why doesn’t Cloudflare respect robots.txt?

Cloudflare isn’t a bot, and absolutely should not follow robots.txt. If you are using Cloudflare in front of your website, you should be using the CF-Connecting-IP header (and then comparing inbound requests against this header).