How To: Whitelist CloudFlare IPs

Posted on Monday, June 15th, 2020 at 9:53 am and is filed under Articles |

When trying to setup Cloudflare DNS for SSL for my DigitalOcean Ubuntu server, I received a “Error 521” and started troubleshooting.

Essentially when your are getting a 521 error on SSL requests, but non-SSL requests work fine; it usually indicates one of two things:

Your web server is not set-up to receive SSL connections.
Your firewall is blocking connections over SSL.
This behaviour can occur in Full and Full (Strict) mode, but not Flexible as the connection will be in plain-text HTTP.

If your web server is not configured to receive SSL connections, you will need to add this configuration before using Full or Full (Strict), however if it is configured you will instead need to whitelist port 443 on your server.

In IP Tables it is possible to open up port 443 as follows:

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Also, consult documentation for walkthroughs on using .htaccess or iptables to allow IP addresses.  The following examples demonstrate the format of an iptables rule to allow a Cloudflare IP address range.  Replace $ip below with one of the Cloudflare IP address ranges.

For IPv4 address ranges:

iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

For IPv6 address ranges:

ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

The next step would be to whitelist CloudFlare’s IPs, there is a guide on how to whitelist CloudFlare IPs in IPTables.

Loop through them using a quick for loop in your terminal

Cloudflare stores the IP addresses in two text files. These are in https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6. (These files are also linked from their help page on the topic).

Here are the two bash commands to loop through them all

for ip in $(curl https://www.cloudflare.com/ips-v4); do iptables -I INPUT -p tcp -m multiport --dports http,https -s "$ip" -j ACCEPT; done
for ip in $(curl https://www.cloudflare.com/ips-v6); do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s "$ip" -j ACCEPT; done

For each command you won’t see much action, just a quick notification that the curl command worked.

Now you can check if config has been updated:

sudo iptables -S INPUT

You should see:

-P INPUT DROP
-A INPUT -s 131.0.72.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 172.64.0.0/13 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 104.16.0.0/12 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 162.158.0.0/15 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 198.41.128.0/17 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 197.234.240.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 188.114.96.0/20 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 190.93.240.0/20 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 108.162.192.0/18 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 141.101.64.0/18 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 103.31.4.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 103.22.200.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 103.21.244.0/22 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 173.245.48.0/20 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-wordpress-hard
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Additional info – click here.

How To- Whitelist CloudFlare IPs

Why choose Yonet Web Design ?

Simple, smart and effective web design

Blazingly Fast Websites

Blazingly Fast

Building light websites is crucial to all your customers. Let's build your audience.

SEO Optimised

SEO Optimised

It's not only about look and layout but also about what's behind the scenes.

Responsive Design

Responsive Design

Your website will adjust automatically to any screen - Mobile, Tablet and Desktop.

HTML5 Latest Standards

Latest Standards

YONET uses latest Web Technologies to ensure better experience for all users.