[AusNOG] Assistance Needed: Restricting Website Traffic to Cloudflare’s Network...

Anurag Bhatia me at anuragbhatia.com
Wed Nov 12 22:24:39 AEDT 2025 

Hi Michael


Unsure how well this setup will work with off-net Cloudflare caches. Unsure
of unicast IPs used by Cloudflare off-net caches but for other caches
including Akamai, GGC, FNA etc - they often sit on eyeball networks address
space and send out request from those providers IPs. Cloudflare is little
different since they do anycast and use their own IPs facing the end user
side. If unicast of those PoPs (which does the cache fill by connecting to
origin) is non-Cloudflare IP, this approach may not work.

Would be interesting to hear whenever you are able to resolve it.

On Wed, Nov 5, 2025 at 5:28 PM Michael Bullut <main at kipsang.com> wrote:

> Good Afternoon Good People,
>
> I am reaching out for some assistance with configuring a client’s website
> to accept traffic only from Cloudflare’s network.
>
> I have attempted to achieve this by editing the .htaccess file to allow
> Cloudflare’s IP ranges and deny all other connections. However, after
> applying the configuration, I’m receiving a *“Forbidden - Access is
> denied”* error.
>
> Here’s a summary of the situation:
>
>    - *Hosting environment:* nginx on cPanel.
>    - *Goal:* Restrict direct access to the origin server, allowing only
>    Cloudflare’s IP addresses.
>    - *Action taken:* Added allow/deny directives to .htaccess using
>    Cloudflare’s published IP ranges.
>    - *Issue:* Website becomes inaccessible *(403 Forbidden).*
>
> I have double-checked the syntax and updated Cloudflare’s IP list, but the
> issue persists. If anyone has experience setting this up or can suggest the
> correct configuration or an alternative approach *(e.g., using
> server-level configuration instead of .htaccess),* I would greatly
> appreciate your insight.
>
> Warm regards,
>
> Michael Bullut.
>
> ---
>
> *Cellphone:* *+254 723 393 114.*
> *Twitter:* *@MichaelBullut* <https://x.com/MichaelBullut>
> *Blog:* *http://www.kipsang.com/ <http://www.kipsang.com/>*
> *E-mail Address:* *main at kipsang.com* <main at kipsang.com>
>
> ---
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> Virus-free.www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-3968893697956626161_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>


-- 
Anurag Bhatia
anuragbhatia.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20251112/a8b8a999/attachment.htm>

More information about the AusNOG mailing list