Cloudflare Docs
Cloudflare Fundamentals
Cloudflare Fundamentals
Visit Cloudflare Fundamentals on GitHub
Set theme to dark (⇧+D)

Allow Cloudflare IP addresses

Because of how Cloudflare works, all traffic to proxied DNS records passes through Cloudflare before reaching your origin server. This means that your origin server will stop receiving traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP addresses, which are shared by all proxied hostnames.

This setup can cause issues if your origin server blocks or rate limits connections from Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP addresses, blocking these IPs — even accidentally — will prevent visitor traffic from reaching your application.

For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your network, process them, and then output these packets to your origin infrastructure.

​​ Review external tools

To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to check that:

​​ Configure origin server

​​ Allowlist Cloudflare IP addresses

To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare IP addresses at your origin web server.

You can explicitly allow these IP addresses with a .htaccess file or by using iptables.

The following example demonstrates how your could use an iptables rule to allow a Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address ranges.


# For IPv4 addresses
iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
# For IPv6 addresses
ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

For more specific guidance, contact your hosting provider or website administrator.

As a best practice, we also recommend that you explicitly block all traffic that does not come from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or applications.

For example, you might update your iptables with the following commands:


# For IPv4 addresses
$ iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
# For IPv6 addresses
$ ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP

For more specific guidance, contact your hosting provider or website administrator.

​​ Additional recommendations

​​ Further protection

For further recommendations on securing your origin server, refer to our guide on protecting your origin server.

​​ Visitor IP information

Because your origin server will receive Cloudflare IP addresses instead of visitor IP addresses, your server will return Cloudflare IP addresses when logging or responding to requests.

If you want sampled logs of visitor IP addresses and are on an Enterprise plan, we recommend that you use Cloudflare Logs.

Alternatively, if you want non-sampled logs directly from your server or your application’s response depends on the incoming IP address of an individual visitor, you can also restore visitor IP addresses.