Securing your Website or Webserver is very important. If you are using Cloudflare to speed up and protect your network from Bot's, DDoS attacks, along with protecting certain area's of your site such as an admin or protected area, you may be well aware that Hackers can bypass cloudflare by obtaining the real IP of your server or website. You can essentially DENY all traffic from the Internet and ALLOW only Cloudflares NetBlock's. This Blog post will show you how to do exactly that.
You can Block at the server level using your firewall on the server such as UFW or IPTABLES. However, most websites are hosted on a shared platform and you may not have access to those resources. If this is your case you can block all IP's except Cloudflare's by using htaccess (Apache or Lightspeed) or Nginx scripts if you are using NGINX Webserver.
Apache 2.4 Cloudflare Firewall Bypass Prevention (.htaccess)
If you are hosting on an Apache 2.4 Webserver, you can use the following code block in your htaccess file. This should also work with your htaccess in a Lightspeed Web Server.
# Cloudflare-Firewall-Bypass-Prevention
# This code can be used in your htaccess file to block all traffic from the Internet except Cloudflare IP Blocks.
# Be sure the check that all of the IP's listed are in sync with Cloudflare's current IP Blocks. This code is without
# warranty or support.
# Date Cloudflare IP's Checked and Confirmed - Oct 8, 2021
# BEGIN Cloudflare Firewall Bypass Prevention
# Apache 2.4 Server
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 104.24.0.0/14
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
# Allow from INSERT YOUR IP HERE
# Uncomment and add your IP Address in the line above
# END Cloudflare Firewall Bypass Prevention
NGINX Webserver Cloudflare-Firewall-Bypass-Prevention Configuration
The NGINX conf module allows limiting access to certain client addresses. Add the following content to your host conf file.
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;
allow 'your home/office ip';
deny all;
The rules are checked in sequence until the first match is found. In this example, access is allowed only for all Cloudflare IPv4 and IPv6 netblocks and DENY all others. you also could put an allow IP address for your home and/or office networks so you can get direct access to the server and bypass Cloudflare's caching.
Clustered Networks
Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 20 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info
#cloudflare #block #nginx #apache
