How do I Lockdown URLs in Cloudflare?

URL Lockdown

URL Lockdown rules specify a list of one or more IP addresses or networks that are the only IPs allowed to access a domain, subdomain, or URL. Multiple destinations can be specified in a single rule, and both IPv4 and IPv6 source addresses can be used. IP CIDR ranges can also be used. Any IP not specified in the rule will be denied access to the page.

Example - Restricting access to company sites unless inside the office

For example, let’s say you want to restrict access to your administration and staging systems to those users connecting from your company’s headquarters and branch offices. We assume the following for purposes of demonstrating the API call:

  1. The staging site is hosted at https://staging.example.com and the wiki is at https://example.com/wiki.
  2. Your corporate headquarters uses the 192.0.2.0/24 network, branch office #1 uses /36, and branch office #2 connects to the outside world through a single IPv4 address: 203.0.133.1.

 

You can easily specify a rule restricting access as follows:

$ curl -X POST -H "X-Auth-Email: $MYEMAIL" -H "X-Auth-Key: $MYAPIKEY" -H "Content-Type: application/json" https://api.cloudflare.com/client/v4/zones/$MYZONETAG/firewall/lockdowns --data \
‘{
  "description": "Block all traffic to the staging and wiki unless coming from corporate headquarters or a branch office",
  "urls": [
    "staging.example.com/*",
    "example.com/wiki/*"
  ],
  "configurations": [
    {
      "target": "ip_range",
      "value": "192.0.2.0/24"
    },
    {
      "target": "ip_range",
      "value": "2001:DB8::/64"
    },
    {
      "target": "ip",
      "value": "203.0.133.1"
    }
  ]
}’

The rule will be  returned to you, along with an ID that can be used later to modify or delete the rule.

{
  "result": {
    "id": "5da0e8a257cc4fc98cf42ea3bd22dc8f",
    "paused": false,
    "description": "Block all traffic to the staging and wiki unless coming from corporate headquarters or a branch office",
    "urls": [
      "staging.example.com/*",
      "example.com/wiki/*"
    ],
    "configurations": [
      {
        "target": "ip_range",
        "value": "192.0.2.0/24"
      },
      {
        "target": "ip_range",
        "value": "2001:DB8::/64"
      },
      {
        "target": "ip",
        "value": "203.0.133.1"
      }
    ]
  },
  "success": true,
  "errors": null,
  "messages": null
}


Below is an example of what usesr will see if they reach a page with URL Lockdown enabled from an unauthorized IP: 


Screenshot_from_2017-09-20_10-11-30.png

The maximum amount of rules allowed per account is based on plan type.

Plan Max Rules
Free 0
Pro 3
Business 10
Enterprise 200

For more information and options see the full API documentation for URL Lockdown

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk