Allowing only CloudFlare through your Firewall

CloudFlare … it’s free, has awesome features, and guards against ddos attacks and other vulnerabilities.

Using it seems like a solid choice for any HTTP(S) based projects you might have, and it’s safe to assume that so long as you don’t publish you real server address, then you’re safe. Right?

Well, no … between port scans, recycled ips, and ancillary services (like email), it’s not impossible that your server may get some inconsiderate calls to it’s home address, in spite of your best efforts at professional proxying.

Thankfully CloudFlare provides a list of origins you can use to limit HTTP(S) access in your firewall settings. What they don’t provide is a way to know when these origins change; for that you can setup a Latestver notification to alert you of any future updates.

Comma-separated list of origins

Use the following bash snippet to generate a comma-separated list of origins (for AWS/EC2)

IPS=($(curl -fs
echo $(IFS=, ; echo "${IPS[*]}")

Alternatively you can change IFS=, to pick whatever delimiter your firewall requires.

AWS/EC2 firewall configuration

Here is the setup for EC2, but the technique will work with any firewall.

Create a new Security Group using the origins for HTTP and HTTPS rules

Apply the security group to your EC2 instances, and remove any existing HTTP(S) inbound rules.

Notifications of changes to the origin list

CloudFlare doesn’t provide an official mechanism for receiving updates to the origin list. However, the Latestver project tracks the contents of the official text files, producing a checksum and allowing notifications through IFTTT.


  • Follow the Latestver Notification Guide to setup a notification for entry cloudflare:ips-v4
  • You can receive notifications to Slack, Email, or any IFTTT supported target.