How to allow only CloudFlare to access your web sites through your firewall

1 Like

Should work, but keep an eye out for changing IP addresses.

One can poll these:
https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6

Yes, the script repo I referenced suggested running the script weekly, but I am leery of lettings like that run automatically.

Florian Schulze kindly emailed me to suggest using Cloudflare's authenticated origin pulls, described at https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls and with this method, you don't have to worry that Cloudflare may have changed its IP addresses (the reason why you would need to update your ufw rules periodically).

Clouflare SSL client side certificate authentication as described at https://blog.cloudflare.com/introducing-tls-client-auth/ is only for paid enterprise plans.