How To: Whitelist CloudFlare IPs
When trying to setup Cloudflare DNS for SSL for my DigitalOcean Ubuntu server, I received a “Error 521” and started troubleshooting.
Essentially when your are getting a 521 error on SSL requests, but non-SSL requests work fine; it usually indicates one of two things:
Your web server is not set-up to receive SSL connections.
Your firewall is blocking connections over SSL.
This behaviour can occur in Full and Full (Strict) mode, but not Flexible as the connection will be in plain-text HTTP.
If your web server is not configured to receive SSL connections, you will need to add this configuration before using Full or Full (Strict), however if it is configured you will instead need to whitelist port 443 on your server.
In IP Tables it is possible to open up port 443 as follows:
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Also, consult documentation for walkthroughs on using .htaccess or iptables to allow IP addresses. The following examples demonstrate the format of an iptables rule to allow a Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address ranges.
For IPv4 address ranges:
iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
For IPv6 address ranges:
ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
The next step would be to whitelist CloudFlare’s IPs, there is a guide on how to whitelist CloudFlare IPs in IPTables.
Loop through them using a quick for loop in your terminal
Cloudflare stores the IP addresses in two text files. These are in https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6. (These files are also linked from their help page on the topic).
Here are the two bash commands to loop through them all
for ip in $(curl https://www.cloudflare.com/ips-v4); do iptables -I INPUT -p tcp -m multiport --dports http,https -s "$ip" -j ACCEPT; done
for ip in $(curl https://www.cloudflare.com/ips-v6); do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s "$ip" -j ACCEPT; done
For each command you won’t see much action, just a quick notification that the curl command worked.
Now you can check if config has been updated:
sudo iptables -S INPUT
You should see:
-P INPUT DROP -A INPUT -s 131.0.72.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 172.64.0.0/13 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 104.16.0.0/12 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 162.158.0.0/15 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 198.41.128.0/17 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 197.234.240.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 188.114.96.0/20 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 190.93.240.0/20 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 108.162.192.0/18 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 141.101.64.0/18 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 103.31.4.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 103.22.200.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 103.21.244.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -s 173.245.48.0/20 -p tcp -m multiport --dports 80,443 -j ACCEPT -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-hard -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Additional info – click here.
