Allow Cloudflare IP addresses
2 min read
All traffic to proxied DNS records passes through Cloudflare before reaching your origin server. This means that your origin server will stop receiving traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP addresses, which are shared by all proxied hostnames.
This setup can cause issues if your origin server blocks or rate limits connections from Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP addresses, blocking these IPs — even accidentally — will prevent visitor traffic from reaching your application.
In addition, allowing Cloudflare IPs might be needed to avoid rate limiting or blocking these requests at your origin server.
For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your network, process them, and then output these packets to your origin infrastructure.
Review external tools
To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to check that:
- Any security plugins — such as those for WordPress — allow Cloudflare IP addresses.
- The mod_security plugin is up to date.
Configure origin server
Allowlist Cloudflare IP addresses
To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare IP addresses at your origin web server.
You can explicitly allow these IP addresses with a .htaccess file or by using iptables.
The following example demonstrates how you could use an iptables rule to allow a Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address ranges.
# For IPv4 addressesiptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT# For IPv6 addressesip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPTFor more specific guidance, contact your hosting provider or website administrator.
Block other IP addresses (recommended)
As a best practice, we also recommend that you explicitly block all traffic that does not come from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or applications.
For example, you might update your iptables with the following commands:
# For IPv4 addresses
$ iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
# For IPv6 addresses
$ ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
For more specific guidance, contact your hosting provider or website administrator.