Protect Your Origin Server with Cloudflare IP Whitelisting
When you’re serving a website behind Cloudflare, one of the smartest things you can do to harden your origin server is block all non-Cloudflare traffic. That means: only allow inbound HTTP/HTTPS traffic from Cloudflare’s IP ranges. But here’s the catch—Cloudflare can (and does) update its IP ranges regularly. Manually keeping your UFW firewall rules synced? No thanks.
This comprehensive guide will show you how to automatically pull the latest Cloudflare IPs and apply them to UFW on your Linux server using a bash script. We’ll automate the entire process with a daily cron job so your server stays protected without manual intervention. Copy-paste friendly. Set-and-forget style.
What you’ll learn:
- Why whitelisting Cloudflare IPs is critical for origin server security
- How to create an automated UFW update script
- Setting up cron jobs for automatic IP range updates
- Best practices for Cloudflare + UFW + Nginx configurations
You built your stack to scale. Time to secure it to survive.
Why Should You Only Allow Cloudflare IPs?
When you point your domain to Cloudflare, traffic is routed through their edge nodes. However, if someone discovers your origin IP, they can bypass Cloudflare entirely.
Blocking non-Cloudflare IPs at the firewall ensures:
- DDoS attacks are mitigated upstream.
- Bad actors can’t probe your server directly.
- Your actual infrastructure stays hidden and protected.
This is especially crucial if you’re running:
- WordPress (hello XML-RPC attacks)
- Node.js APIs with rate-limited endpoints
- Any dynamic site that shouldn’t be publicly open on port 80/443
You really don’t want your origin leak
Step-by-Step: Auto Add Cloudflare IPs to UFW
Let’s get down to it.
1. The Shell Script
Create a file called /usr/local/bin/cloudflare-ufw.sh and paste in the following:
#!/bin/bash
# Cloudflare IP sources
CF_IPV4_URL="https://www.cloudflare.com/ips-v4"
CF_IPV6_URL="https://www.cloudflare.com/ips-v6"
# Temporary files
TMP_IPV4=$(mktemp)
TMP_IPV6=$(mktemp)
CURRENT_UFW=$(mktemp)
# Save current UFW rules to avoid duplicates
ufw status | grep -Eo '([0-9a-fA-F:.]+/[0-9]+)' > "$CURRENT_UFW"
# Download current IPs
curl -s $CF_IPV4_URL -o "$TMP_IPV4"
curl -s $CF_IPV6_URL -o "$TMP_IPV6"
# Add IPs to UFW if not present
add_ip() {
ip=$1
if ! grep -q "$ip" "$CURRENT_UFW"; then
echo "Allowing $ip on ports 80, 443"
ufw allow from "$ip" to any port 443 proto tcp comment 'Cloudflare'
ufw allow from "$ip" to any port 80 proto tcp comment 'Cloudflare'
else
echo "$ip already allowed"
fi
}
# Loop over IPs
while read -r ip; do add_ip "$ip"; done < "$TMP_IPV4"
while read -r ip; do add_ip "$ip"; done < "$TMP_IPV6"
# Clean up
rm "$TMP_IPV4" "$TMP_IPV6" "$CURRENT_UFW"
# Reload firewall
ufw reloadThen make it executable:
sudo chmod +x /usr/local/bin/cloudflare-ufw.sh2. Automate with Cron
Open your crontab:
sudo crontab -eAdd this line to run the script daily at 3:00 AM:
0 3 * * * /usr/local/bin/cloudflare-ufw.sh >> /var/log/cloudflare-ufw.log 2>&1Now, your server will auto-update its UFW rules with the latest Cloudflare IPs every day.
Don’t Forget SSH
Locking down HTTP/HTTPS is great, but don’t accidentally lock yourself out of SSH. Always whitelist your SSH IP separately.
ufw allow from YOUR_STATIC_IP to any port 22 proto tcpFor Nginx + Cloudflare Fans
If you’re using Nginx, pair this UFW strategy with real visitor IP headers from Cloudflare using:
real_ip_header CF-Connecting-IP;
set_real_ip_from 173.245.48.0/20;
# Add the rest of Cloudflare’s IPs here tooThat way, you see real visitor IPs, not just Cloudflare’s edge IPs in your logs.
Final Thoughts
Setting up automatic Cloudflare IP updates for UFW is one of the simplest but most effective things you can do to harden your infrastructure. It costs nothing, takes 10 minutes, and saves you from:
- Exposure to IP-based attacks
- Forgotten firewall rules
- Scrambling when IP ranges change