2

I'm using Cloudflare and I want to protect my origin server from accepting any traffic that is not Cloudflare.

I was thinking to just IP whitelist https://www.cloudflare.com/ips/

However, I notice that they add/remove IPs every year or two. So I worry that one day people will get errors and it'll be because Cloudflare added or changed the list.

Another option I was thinking is injecting a secret header via Cloudflare and have it go through to origin server and origin server would verify that secret header is correct otherwise reject.

Is there a best practice that I should use here?

Jesse Nickles
  • 378
K2xL
  • 239

2 Answers2

5

Cloudflare allows you to authenticate that incoming requests are from their reverse proxies, and not anything else, by using mutual TLS (TLS with client certificates). They refer to this feature as "Authenticated origin pull", which is also described in a blog post. In general you can turn this feature on without it breaking anything, and then add the server-side check for Cloudflare's client certificate and stop serving any request without a suitable certificate.

Configuration of your server to validate the client certificate, and enforce its presence and correctness, will depend on the server and possibly web app framework that you are using. However, it's relatively easy in all major server software.

CBHacking
  • 251
2

Cloudflare never added an IP range in its history. You may have seen the following on the site :

Apr 8, 2021:
104.16.0.0/12 removed from ips-v4
104.16.0.0/13 added to ips-v4
104.24.0.0/14 added to ips-v4
  • 104.16.0.0/12 (range 104.16.0.0-104.31.255.255) is removed
  • 104.16.0.0/13 (range 104.16.0.0-104.23.255.255) is added
  • 104.24.0.0/14 (range 104.24.0.0-104.27.255.255) is added

The old range is 104.16.0.0-104.31.255.255 while the new range is the subset 104.16.0.0-104.27.255.255

The operation did not actually adding any addresses, as the added networks are subnets of the deleted one. The operation actually removed 104.28.0.0/14 (range 104.28.0.0-104.31.255.255) from the pool of IP addresses.

The folks at Cloudflare are very aware of the issue you are afraid of, and it's extremely unlikely they'll ever use other IP addresses than those advertised, so you can actually use IP filtering.

Bruno Rohée
  • 285