[AusNOG] Assistance Needed: Restricting Website Traffic to Cloudflare’s Network...

Wed Nov 12 22:46:59 AEDT 2025

NGINX does not support the use of .htaccess files. You would need to convert it to the appropriate NGINX directives.

You would need to use something similar to the below, modified for your environment.
server {
    listen 80;
    server_name example.com;

    location /admin {
        allow 192.0.2.0/24;
        allow 203.0.113.0/24;
        deny all;
    }

    location / {
        # Other configurations for the main site
    }
}
To my knowledge, cPanel only supports the use of NGINX to act as a reverse proxy only, as it still passes web content to an underlying Apache server (see https://docs.cpanel.net/knowledge-base/nginx/nginx-with-reverse-proxy/).

Regards,
Christopher Hawker
________________________________
From: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Anurag Bhatia <me at anuragbhatia.com>
Sent: Wednesday, 12 November 2025 10:24 PM
To: Michael Bullut <main at kipsang.com>
Cc: ausnog at lists.ausnog.net <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Assistance Needed: Restricting Website Traffic to Cloudflare’s Network...

Hi Michael

Unsure how well this setup will work with off-net Cloudflare caches. Unsure of unicast IPs used by Cloudflare off-net caches but for other caches including Akamai, GGC, FNA etc - they often sit on eyeball networks address space and send out request from those providers IPs. Cloudflare is little different since they do anycast and use their own IPs facing the end user side. If unicast of those PoPs (which does the cache fill by connecting to origin) is non-Cloudflare IP, this approach may not work.

Would be interesting to hear whenever you are able to resolve it.

On Wed, Nov 5, 2025 at 5:28 PM Michael Bullut <main at kipsang.com<mailto:main at kipsang.com>> wrote:
Good Afternoon Good People,

I am reaching out for some assistance with configuring a client’s website to accept traffic only from Cloudflare’s network.

I have attempted to achieve this by editing the .htaccess file to allow Cloudflare’s IP ranges and deny all other connections. However, after applying the configuration, I’m receiving a “Forbidden - Access is denied” error.

Here’s a summary of the situation:

  *   Hosting environment: nginx on cPanel.
  *   Goal: Restrict direct access to the origin server, allowing only Cloudflare’s IP addresses.
  *   Action taken: Added allow/deny directives to .htaccess using Cloudflare’s published IP ranges.
  *   Issue: Website becomes inaccessible (403 Forbidden).

I have double-checked the syntax and updated Cloudflare’s IP list, but the issue persists. If anyone has experience setting this up or can suggest the correct configuration or an alternative approach (e.g., using server-level configuration instead of .htaccess), I would greatly appreciate your insight.

Warm regards,

Michael Bullut.

---

Cellphone: +254 723 393 114.
Twitter: @MichaelBullut<https://x.com/MichaelBullut>
Blog: http://www.kipsang.com/
E-mail Address: main at kipsang.com<mailto:main at kipsang.com>

---

[https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>  Virus-free.www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
https://lists.ausnog.net/mailman/listinfo/ausnog

--
Anurag Bhatia
anuragbhatia.com<https://anuragbhatia.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20251112/66617af5/attachment.htm>