<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
NGINX does not support the use of .htaccess files. You would need to convert it to the appropriate NGINX directives.</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
You would need to use something similar to the below, modified for your environment.</div>
<blockquote style="margin-left: 0.8ex; padding-left: 1ex; border-left: 3px solid rgb(200, 200, 200);">
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
server {</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
listen 80;</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
server_name example.com;</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
location /admin {</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
allow 192.0.2.0/24;</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
allow 203.0.113.0/24;</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
deny all;</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
}</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
location / {</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
# Other configurations for the main site</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
}</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
}</div>
</blockquote>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
To my knowledge, cPanel only supports the use of NGINX to act as a reverse proxy only, as it still passes web content to an underlying Apache server (see
<a href="https://docs.cpanel.net/knowledge-base/nginx/nginx-with-reverse-proxy/">
https://docs.cpanel.net/knowledge-base/nginx/nginx-with-reverse-proxy/</a>).</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Regards,</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Christopher Hawker</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> AusNOG <ausnog-bounces@lists.ausnog.net> on behalf of Anurag Bhatia <me@anuragbhatia.com><br>
<b>Sent:</b> Wednesday, 12 November 2025 10:24 PM<br>
<b>To:</b> Michael Bullut <main@kipsang.com><br>
<b>Cc:</b> ausnog@lists.ausnog.net <ausnog@lists.ausnog.net><br>
<b>Subject:</b> Re: [AusNOG] Assistance Needed: Restricting Website Traffic to Cloudflare’s Network...</font>
<div> </div>
</div>
<div>
<div dir="ltr">Hi Michael
<div><br>
</div>
<div><br>
</div>
<div>Unsure how well this setup will work with off-net Cloudflare caches. Unsure of unicast IPs used by Cloudflare off-net caches but for other caches including Akamai, GGC, FNA etc - they often sit on eyeball networks address space and send out request from
those providers IPs. Cloudflare is little different since they do anycast and use their own IPs facing the end user side. If unicast of those PoPs (which does the cache fill by connecting to origin) is non-Cloudflare IP, this approach may not work. </div>
<div><br>
</div>
<div>Would be interesting to hear whenever you are able to resolve it. </div>
</div>
<br>
<div class="x_gmail_quote x_gmail_quote_container">
<div dir="ltr" class="x_gmail_attr">On Wed, Nov 5, 2025 at 5:28 PM Michael Bullut <<a href="mailto:main@kipsang.com">main@kipsang.com</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div>
<div>Good Afternoon Good People,</div>
<div><br>
</div>
<div>I am reaching out for some assistance with configuring a client’s website to accept traffic only from Cloudflare’s network.<br>
<br>
I have attempted to achieve this by editing the .htaccess file to allow Cloudflare’s IP ranges and deny all other connections. However, after applying the configuration, I’m receiving a
<b>“Forbidden - Access is denied”</b> error.<br>
<br>
Here’s a summary of the situation:<br>
<ul>
<li><b><u>Hosting environment:</u></b> nginx on cPanel.</li><li><b><u>Goal:</u></b> Restrict direct access to the origin server, allowing only Cloudflare’s IP addresses.</li><li><u><b>Action taken:</b></u> Added allow/deny directives to .htaccess using Cloudflare’s published IP ranges.</li><li><u><b>Issue:</b></u> Website becomes inaccessible <i>(403 Forbidden).</i></li></ul>
I have double-checked the syntax and updated Cloudflare’s IP list, but the issue persists. If anyone has experience setting this up or can suggest the correct configuration or an alternative approach
<i>(e.g., using server-level configuration instead of .htaccess),</i> I would greatly appreciate your insight.</div>
</div>
<div><br>
</div>
<div>
<div dir="ltr" class="x_gmail_signature">
<div dir="ltr">Warm regards, <br>
<br>
Michael Bullut. <br>
<br>
--- <br>
<br>
<b><u>Cellphone:</u></b> <i>+254 723 393 114.</i>
<div><b><u>Twitter:</u></b> <a href="https://x.com/MichaelBullut" target="_blank"><i>@MichaelBullut</i></a></div>
<div><u><b>Blog:</b></u> <i><a href="http://www.kipsang.com/" target="_blank">http://www.kipsang.com/</a></i><br>
<b><u>E-mail Address:</u></b> <a href="mailto:main@kipsang.com" target="_blank"><i>main@kipsang.com</i></a><br>
<br>
---</div>
</div>
</div>
</div>
</div>
<div id="x_m_-3968893697956626161DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid rgb(211,212,222)">
<tbody>
<tr>
<td style="width:55px; padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank"><img alt="" width="46" height="29" style="width:46px; height:29px" src="https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif"></a></td>
<td style="width:470px; padding-top:12px; color:rgb(65,66,78); font-size:13px; font-family:Arial,Helvetica,sans-serif; line-height:18px">
Virus-free.<a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank" style="color:rgb(68,83,234)">www.avast.com</a></td>
</tr>
</tbody>
</table>
<a href="#x_m_-3968893697956626161_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="https://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
<div><br clear="all">
</div>
<div><br>
</div>
<span class="x_gmail_signature_prefix">-- </span><br>
<div dir="ltr" class="x_gmail_signature">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><span style="font-family:arial,helvetica,sans-serif">Anurag Bhatia</span><br>
</div>
<div></div>
<div><font face="arial, helvetica, sans-serif"><a href="https://anuragbhatia.com" target="_blank">anuragbhatia.com</a></font></div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>