English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

More on this topic: Discussions and Tips

Allowing Cloudflare IP addresses

  • Updated

Learn how to allow Cloudflare IP addresses and why allowing Cloudflare is recommended.

Overview

Changing your name servers to Cloudflare routes traffic through Cloudflare for any orange-clouded DNS records in the Cloudflare DNS app. Your origin web server receives traffic from Cloudflare IP addresses due to Cloudflare’s reverse proxy.

These assigned IP addresses cannot be configured and are shared across all proxied hostnames. They can change at any time.

Blocking or rate limiting Cloudflare connections prevents visitor traffic from reaching your website.

To avoid blocking Cloudflare IPs unintentionally, check that:

  • Your origin web server iptables are set to trust Cloudflare IPs.
  • Bad Behavior or mod_security plugins are up to date.
  • Your htaccess file allows Cloudflare IPs.
  • Any security plugins, such as WordPress security plugins, allow Cloudflare IPs.

Security Recommendations at Origins

Please note, Cloudflare does not recommend enforcing security policy at origins solely by trusting IP addresses. Cloudflare Tunnels and Authenticated Origin Pulls provide more secure and specific ways to secure origin connections from Cloudflare.

Allow Cloudflare IP addresses

For Cloudflare to send visitor requests to your origin web server, allow Cloudflare IP addresses at your origin web server.  Contact your hosting provider or website administrator for guidance.  

Also, consult documentation for walkthroughs on using .htaccess or iptables to allow IP addresses.  The following examples demonstrate the format of an iptables rule to allow a Cloudflare IP address range.  Replace $ip below with one of the Cloudflare IP address ranges.

For IPv4 address ranges:

iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

For IPv6 address ranges:

ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

As a best practice we recommend to explicitly block all traffic not originating from Cloudflare IPs or your trusted partners, vendors, or application IP addresses. For IPv4 address ranges:
iptables -A INPUT -p tcp --dport http,https -j DROP For IPv6 address ranges:
ip6tables -A INPUT -p tcp --dport http,https -j DROP

You may also consult the following resources for help in allowing Cloudflare IPs for these Wordpress plugins:

Using your own IP addresses

If you do not want to use Cloudflare IP addresses, Enterprise customers have two potential alternatives:

  • Bring Your Own IP (BYOIP): Where Cloudflare announces your IPs in all our locations. For more details, see our developer documentation.
  • Static IP: Where Cloudflare sets static IP addresses for your domain. For more details, reach out to your Sales team.

Related resources

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request

Related articles

Not finding what you need?

Ask the Community Submit a request