Cloudflare IP Whitelist

Learning Focus

By the end of this lesson you will know how to restrict origin server access to only Cloudflare IP ranges.

Why Whitelist Cloudflare IPs

When using Cloudflare as a proxy, your origin should only accept HTTP/HTTPS traffic from Cloudflare's IP ranges. This prevents attackers from bypassing Cloudflare by connecting directly to your server's IP address.

Cloudflare IP Ranges

Cloudflare publishes their IP ranges at: https://www.cloudflare.com/ips/

# Download the current Cloudflare IP ranges
curl -s https://www.cloudflare.com/ips-v4 > /tmp/cloudflare-ips-v4.txt
curl -s https://www.cloudflare.com/ips-v6 > /tmp/cloudflare-ips-v6.txt

Configuring UFW

# Allow Cloudflare IPs to port 443
while read ip; do
  sudo ufw allow from "$ip" to any port 443
done < /tmp/cloudflare-ips-v4.txt

# Deny all other traffic to 443
sudo ufw deny 443

# Verify
sudo ufw status

warning

Keep the Cloudflare IP list updated. Cloudflare occasionally changes their ranges. Set up a monthly cron to refresh the whitelist.

Key Takeaways

Whitelisting Cloudflare IPs prevents attackers from bypassing the CDN.
Keep the IP list updated with Cloudflare's published ranges.
This is a critical hardening step for production Cloudflare deployments.

What's Next

Continue to Security Features for Cloudflare WAF and bot protection.

Why Whitelist Cloudflare IPs​

Cloudflare IP Ranges​

Configuring UFW​

Key Takeaways​

What's Next​

Why Whitelist Cloudflare IPs

Cloudflare IP Ranges

Configuring UFW

Key Takeaways

What's Next