Learn how to allow Cloudflare IP addresses and why allowing Cloudflare is recommended.
Overview
Changing your name servers to Cloudflare routes traffic through Cloudflare for any orange-clouded DNS records in the Cloudflare DNS app. Your origin web server receives traffic from Cloudflare IP addresses due to Cloudflare’s reverse proxy.
These assigned IP addresses cannot be configured and are shared across all proxied hostnames. They can change at any time.
To avoid blocking Cloudflare IPs unintentionally, check that:
- Your origin web server iptables are set to trust Cloudflare IPs.
- Bad Behavior or mod_security plugins are up to date.
- Your htaccess file allows Cloudflare IPs.
- Any security plugins, such as WordPress security plugins, allow Cloudflare IPs.
Allow Cloudflare IP addresses
For Cloudflare to send visitor requests to your origin web server, allow Cloudflare IP addresses at your origin web server. Contact your hosting provider or website administrator for guidance.
Also, consult documentation for walkthroughs on using .htaccess or iptables to allow IP addresses. The following examples demonstrate the format of an iptables rule to allow a Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address ranges.
For IPv4 address ranges:
iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
For IPv6 address ranges:
ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
You may also consult the following resources for help in allowing Cloudflare IPs for these Wordpress plugins:
Using your own IP addresses
If you do not want to use Cloudflare IP addresses, Enterprise customers have two potential alternatives:
- Bring Your Own IP (BYOIP): Where Cloudflare announces your IPs in all our locations. For more details, see our developer documentation.
- Static IP: Where Cloudflare sets static IP addresses for your domain. For more details, reach out to your Sales team.