Securing your Website or Webserver is very important. If you are using Cloudflare to speed up and protect your network from Bot's, DDoS attacks, along with protecting certain area's of your site such as an admin or protected area, you may be well aware that Hackers can bypass cloudflare by obtaining the real IP of your server or website. You can essentially DENY all traffic from the Internet and ALLOW only Cloudflares NetBlock's. This Blog post will show you how to do exactly that.
You can Block at the server level using your firewall on the server such as UFW or IPTABLES. However, most websites are hosted on a shared platform and you may not have access to those resources. If this is your case you can block all IP's except Cloudflare's by using htaccess (Apache or Lightspeed) or Nginx scripts if you are using NGINX Webserver.
Apache 2.4 Cloudflare Firewall Bypass Prevention (.htaccess)
If you are hosting on an Apache 2.4 Webserver, you can use the following code block in your htaccess file. This should also work with your htaccess in a Lightspeed Web Server.
# Cloudflare-Firewall-Bypass-Prevention # This code can be used in your htaccess file to block all traffic from the Internet except Cloudflare IP Blocks. # Be sure the check that all of the IP's listed are in sync with Cloudflare's current IP Blocks. This code is without # warranty or support. # Date Cloudflare IP's Checked and Confirmed - Oct 8, 2021 # BEGIN Cloudflare Firewall Bypass Prevention # Apache 2.4 Server Require ip 184.108.40.206/20 Require ip 220.127.116.11/22 Require ip 18.104.22.168/22 Require ip 22.214.171.124/22 Require ip 126.96.36.199/18 Require ip 188.8.131.52/18 Require ip 184.108.40.206/20 Require ip 220.127.116.11/20 Require ip 18.104.22.168/22 Require ip 22.214.171.124/17 Require ip 126.96.36.199/15 Require ip 188.8.131.52/12 Require ip 184.108.40.206/14 Require ip 220.127.116.11/13 Require ip 18.104.22.168/22 Require ip 2400:cb00::/32 Require ip 2606:4700::/32 Require ip 2803:f800::/32 Require ip 2405:b500::/32 Require ip 2405:8100::/32 Require ip 2a06:98c0::/29 Require ip 2c0f:f248::/32 # Allow from INSERT YOUR IP HERE # Uncomment and add your IP Address in the line above # END Cloudflare Firewall Bypass Prevention
NGINX Webserver Cloudflare-Firewall-Bypass-Prevention Configuration
The NGINX conf module allows limiting access to certain client addresses. Add the following content to your host conf file.
allow 22.214.171.124/20; allow 126.96.36.199/22; allow 188.8.131.52/22; allow 184.108.40.206/22; allow 220.127.116.11/18; allow 18.104.22.168/18; allow 22.214.171.124/20; allow 126.96.36.199/20; allow 188.8.131.52/22; allow 184.108.40.206/17; allow 220.127.116.11/15; allow 18.104.22.168/13; allow 22.214.171.124/14; allow 126.96.36.199/13; allow 188.8.131.52/22; allow 2400:cb00::/32; allow 2606:4700::/32; allow 2803:f800::/32; allow 2405:b500::/32; allow 2405:8100::/32; allow 2a06:98c0::/29; allow 2c0f:f248::/32; allow 'your home/office ip'; deny all;
The rules are checked in sequence until the first match is found. In this example, access is allowed only for all Cloudflare IPv4 and IPv6 netblocks and DENY all others. you also could put an allow IP address for your home and/or office networks so you can get direct access to the server and bypass Cloudflare's caching.
Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 20 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info
#cloudflare #block #nginx #apache