If you're running a website behind Cloudflare, one of the first things you need to do is whitelist Cloudflare's IP ranges on your origin server. Without this, your server either blocks legitimate Cloudflare traffic or — worse — accepts direct connections that bypass Cloudflare entirely, exposing your real IP and defeating the purpose of using Cloudflare in the first place.
This guide covers everything: the current IP ranges, how to whitelist them in Nginx, Apache, nftables, and UFW, how to restore real visitor IPs, and how a modern server panel like Panelica handles all of this automatically.
Why You Need to Whitelist Cloudflare IPs
When Cloudflare proxies your website (the orange cloud icon), all traffic to your server comes from Cloudflare's edge network — not from your visitors directly. This means:
- Your server sees Cloudflare's IP addresses, not your visitors' real IPs
- Rate limiting and firewall rules may incorrectly block Cloudflare
- Access logs show Cloudflare IPs instead of actual visitor IPs
- Direct access to your origin IP should be blocked to prevent Cloudflare bypass
The solution is a two-part approach: whitelist Cloudflare IPs so their traffic is always allowed, and block everything else on ports 80/443 to force all traffic through Cloudflare.
Current Cloudflare IP Ranges (2026, Updated)
Cloudflare publishes their IP ranges at cloudflare.com/ips. Here are the current ranges:
IPv4 Ranges (15 CIDR Blocks)
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22IPv6 Ranges (7 CIDR Blocks)
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32Important: These ranges can change. Cloudflare recommends checking https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6 periodically, or using their API endpoint https://api.cloudflare.com/client/v4/ips for automation.
Step 1: Whitelist Cloudflare IPs in Nginx
Nginx is the most common web server paired with Cloudflare. Here's how to configure it properly:
Create a Cloudflare IP config file
# /etc/nginx/conf.d/cloudflare-ips.conf
# Cloudflare IPv4
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
# Cloudflare IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
# Use the CF-Connecting-IP header to get real visitor IP
real_ip_header CF-Connecting-IP;
# real_ip_header X-Forwarded-For; # Alternative headerThe real_ip_header CF-Connecting-IP directive tells Nginx to use Cloudflare's header to determine the actual visitor IP. This is critical for access logs, rate limiting, and geo-blocking to work correctly.
Restrict direct access (optional but recommended)
# In your server block — only allow Cloudflare IPs
# Deny all other traffic to prevent origin IP exposure
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
deny all;After adding these files, test and reload Nginx:
nginx -t && systemctl reload nginxStep 2: Whitelist Cloudflare IPs in Apache
For Apache, you'll use mod_remoteip to restore real visitor IPs and optionally restrict access:
Enable mod_remoteip
a2enmod remoteip
systemctl restart apache2Configure RemoteIP
# /etc/apache2/conf-available/cloudflare.conf
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22a2enconf cloudflare && systemctl reload apache2Step 3: Firewall-Level Whitelisting
Web server config alone isn't enough — you should also whitelist at the firewall level. This prevents any non-Cloudflare traffic from reaching your web server at all.
nftables (Modern Linux)
#!/usr/bin/nft -f
# /etc/nftables.d/cloudflare.nft
define cloudflare_ipv4 = {
173.245.48.0/20,
103.21.244.0/22,
103.22.200.0/22,
103.31.4.0/22,
141.101.64.0/18,
108.162.192.0/18,
190.93.240.0/20,
188.114.96.0/20,
197.234.240.0/22,
198.41.128.0/17,
162.158.0.0/15,
104.16.0.0/13,
104.24.0.0/14,
172.64.0.0/13,
131.0.72.0/22
}
table inet cloudflare_filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow SSH (adjust port as needed)
tcp dport 22 accept
# Allow Cloudflare IPs on HTTP/HTTPS
ip saddr $cloudflare_ipv4 tcp dport { 80, 443 } accept
# Drop everything else on 80/443
tcp dport { 80, 443 } drop
}
}UFW (Ubuntu Simplified Firewall)
# Allow Cloudflare IPv4 ranges
for ip in 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
104.24.0.0/14 172.64.0.0/13 131.0.72.0/22; do
ufw allow from $ip to any port 80,443 proto tcp
done
# Deny direct access on 80/443
ufw deny 80/tcp
ufw deny 443/tcpNote: UFW processes rules in order, so the allow rules must come before the deny rules.
Step 4: Automate IP Range Updates
Cloudflare occasionally adds new IP ranges. Here's a script to keep your whitelist current:
#!/bin/bash
# /opt/scripts/update-cloudflare-ips.sh
# Run weekly via cron: 0 3 * * 0 /opt/scripts/update-cloudflare-ips.sh
set -euo pipefail
CF_IPV4=$(curl -s https://www.cloudflare.com/ips-v4)
CF_IPV6=$(curl -s https://www.cloudflare.com/ips-v6)
# Generate Nginx config
{
echo "# Auto-generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo "# Source: cloudflare.com/ips"
echo ""
for ip in $CF_IPV4; do
echo "set_real_ip_from $ip;"
done
for ip in $CF_IPV6; do
echo "set_real_ip_from $ip;"
done
echo ""
echo "real_ip_header CF-Connecting-IP;"
} > /etc/nginx/conf.d/cloudflare-ips.conf
nginx -t && systemctl reload nginx
echo "Cloudflare IP whitelist updated successfully"Common Mistakes to Avoid
Even experienced administrators make these mistakes when configuring Cloudflare:
- Forgetting IPv6 — Cloudflare serves a significant portion of traffic over IPv6. If you only whitelist IPv4, you'll block legitimate visitors.
- Using X-Forwarded-For instead of CF-Connecting-IP — The
X-Forwarded-Forheader can be spoofed by clients.CF-Connecting-IPis set by Cloudflare and is more reliable. - Not blocking direct access — If someone discovers your origin IP (via DNS history, email headers, or certificate transparency logs), they can bypass Cloudflare entirely. Always block non-Cloudflare traffic on ports 80/443.
- Hardcoding IPs and never updating — Cloudflare adds new ranges periodically. Set up a cron job or use a panel that handles this automatically.
- Setting SSL mode to "Flexible" — This means Cloudflare connects to your origin over plain HTTP. Always use "Full (Strict)" with a valid SSL certificate on your origin.
The Easier Way: Using Panelica's Built-In Cloudflare Integration
All the manual configuration above works — but it's a lot of moving parts to maintain. If you're using Panelica as your server management panel, the entire Cloudflare workflow is built in with over 25 API endpoints and a dedicated management interface.
What Panelica Handles Automatically
- Real IP restoration — Nginx is pre-configured with Cloudflare's IP ranges and
CF-Connecting-IPheader. No manual config files needed. - Firewall integration — Panelica's built-in nftables firewall knows about Cloudflare IPs. Your firewall rules work with real visitor IPs, not Cloudflare proxy IPs.
- Automatic updates — When Cloudflare adds new IP ranges, Panelica updates its configuration automatically.
Multi-Account Cloudflare Management
Most server panels support a single Cloudflare account at best. Panelica supports unlimited Cloudflare accounts — perfect for agencies and resellers managing domains across different Cloudflare accounts.
Connect your accounts from the Cloudflare settings tab. Each account's API key is encrypted with AES-256 and never exposed in the UI.
One-Click DNS Management
Panelica's Cloudflare DNS tab gives you full control over all record types: A, AAAA, CNAME, MX, TXT, NS, SRV, and CAA. It also shows drift detection — if your Cloudflare DNS doesn't match your Panelica DNS, you'll see it highlighted immediately.
IP Sync Across All Zones
Moving to a new server? Instead of manually updating A records in every Cloudflare zone, use Panelica's Bulk IP Sync. One click updates the root A record for all your domains to point to your new server IP — with Cloudflare proxy (orange cloud) enabled automatically.
SSL/TLS Configuration
Set your Cloudflare SSL mode across all zones from one place. Panelica recommends and defaults to Full (Strict) mode, and combined with its built-in Let's Encrypt auto-renewal, your origin always has a valid certificate.
One-Click Email DNS Setup
Setting up email authentication records (SPF, DKIM, DMARC) in Cloudflare is one of the most error-prone tasks for beginners. Panelica's Mail DNS Sync creates all six required records in a single click:
- MX record — Points your domain to your mail server
- Mail A record —
mail.yourdomain.compointing to your server (proxy off) - SPF record —
v=spf1 ip4:YOUR_SERVER_IP -all(hard fail for anti-spoofing) - Mail SPF record — SPF for the mail subdomain (fixes HELO identity checks)
- DKIM record — 2048-bit RSA key auto-generated and published
- DMARC record —
v=DMARC1; p=quarantinewith reporting configured
This alone saves 30+ minutes of manual DNS editing and eliminates the most common email deliverability issues — especially important since Gmail's 2025 enforcement of strict SPF/DKIM/DMARC alignment.
WAF Custom Rules
Panelica's Cloudflare Firewall tab lets you create custom WAF rules using Cloudflare's expression syntax. Block by IP, country, user agent, threat score, or any combination:
# Block traffic from specific countries
ip.geoip.country in {"CN" "RU"} and not cf.client.bot
# Challenge high-threat visitors
cf.threat_score > 30
# Block specific user agents
http.user_agent contains "BadBot" or http.user_agent contains "SemrushBot"
# Allow only specific IPs to /wp-admin
http.request.uri.path contains "/wp-admin" and not ip.src in {203.0.113.0/24}Cache Purge & Development Mode
Working on your site? Enable Development Mode with one click — it bypasses Cloudflare's cache for 3 hours so you see changes immediately. When you're done, purge the full cache or specific URLs to push your changes live.
Under Attack Mode
If your site is under DDoS attack, enable Under Attack Mode from Panelica's Quick Actions tab. This forces every visitor through a JavaScript challenge (the "Checking your browser" page) — stopping most automated attacks instantly.
Real-Time Analytics
Monitor your Cloudflare traffic directly from Panelica with 24-hour, 7-day, and 30-day views. See total requests, cached bandwidth savings, threat blocks, top countries, and HTTP status code breakdowns — all without leaving your server panel.
Complete Audit Trail
Every Cloudflare operation performed through Panelica is logged: DNS changes, cache purges, security mode toggles, WAF rule modifications. If something breaks, you know exactly what changed and when.
Quick Reference: Cloudflare + Server Checklist
Whether you configure manually or use a panel, here's what a properly secured Cloudflare setup looks like:
| Item | Status | Why It Matters |
|---|---|---|
| Cloudflare IPs whitelisted in web server | Required | Ensures Cloudflare traffic isn't blocked |
| Real IP restoration configured | Required | Logs show actual visitor IPs |
| Direct origin access blocked | Recommended | Prevents Cloudflare bypass attacks |
| Firewall-level IP whitelist | Recommended | Defense in depth |
| SSL mode set to Full (Strict) | Required | End-to-end encryption |
| Origin SSL certificate valid | Required | Full (Strict) won't work without it |
| SPF, DKIM, DMARC configured | Required for email | Gmail/Outlook reject without them |
| IP range auto-update configured | Recommended | Cloudflare adds new ranges periodically |
| WAF rules for sensitive paths | Recommended | Protect /wp-admin, /phpmyadmin, etc. |
Conclusion
Whitelisting Cloudflare IP ranges is a fundamental step in securing any Cloudflare-proxied website. The manual approach works but requires ongoing maintenance — keeping IP ranges updated, configuring multiple services, and remembering to handle both IPv4 and IPv6.
If you're managing multiple sites or want to eliminate the manual overhead, Panelica handles the entire Cloudflare workflow from a single dashboard: IP whitelisting, DNS management, SSL configuration, email authentication, WAF rules, cache control, and real-time analytics. All included in every plan, with multi-account support for agencies and resellers.
Try it free for 14 days — install in under 3 minutes:
curl -sSL https://latest.panelica.com/install.sh | bash