Cloudflare IP addresses
When you add a domain to Cloudflare and proxy its DNS records, visitors who look up your domain receive a Cloudflare IP address instead of your origin server's real IP address. This hides your origin server's IP address and allows Cloudflare to optimize, cache, and protect all requests before forwarding them to you.
Cloudflare has several IP address ranges ↗ which are shared by all proxied hostnames. Together, these IP addresses form the backbone of Cloudflare's anycast network — a routing method where the same IP address is announced from data centers worldwide, so each visitor's request is routed to a nearby data center.
All traffic to proxied DNS records passes through Cloudflare before reaching your origin server. This means that your origin server will stop receiving traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP addresses ↗, which are shared by all proxied hostnames.
To your origin server's firewall, this can look like a limited number of sources sending a high volume of traffic — which may trigger automatic blocking or rate limiting. Because all visitor traffic appears to come from Cloudflare IP addresses, blocking these IPs — even accidentally — will prevent visitor traffic from reaching your application.
The guidance above applies to domains that use Cloudflare's HTTP proxy. Magic Transit works differently — instead of proxying web requests, it protects entire IP networks at the network layer. Cloudflare announces your IP address ranges (prefixes) via BGP so that all traffic destined for your network passes through Cloudflare for inspection and DDoS filtering before being forwarded to your infrastructure.
To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare IP addresses at your origin web server.
You can explicitly allow these IP addresses with a .htaccess file ↗ or by using iptables ↗.
The following example demonstrates how you could use an iptables rule to allow a Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address ranges ↗. You will need to run this command once for each IP range listed on that page.
# For IPv4 addressesiptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
# For IPv6 addressesip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPTFor more specific guidance, contact your hosting provider or website administrator.
If someone discovers your origin server's IP address — for example, through historical DNS records or mail server configuration — they could send traffic directly to your server, bypassing Cloudflare's security protections entirely. To prevent this, block all traffic that does not come from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or applications.
For example, you might update your iptables ↗ with the following commands:
# For IPv4 addressesiptables -A INPUT -p tcp -m multiport --dports http,https -j DROP# For IPv6 addressesip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROPFor more specific guidance, contact your hosting provider or website administrator.
To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to check that:
- Any security plugins — such as those for WordPress — allow Cloudflare IP addresses.
- The ModSecurity ↗ plugin is up to date.
For further recommendations on securing your origin server, refer to our guide on protecting your origin server.
Enterprise customers who do not want to use Cloudflare IP addresses — which are shared by all proxied hostnames — have two potential alternatives:
- Bring Your Own IP (BYOIP): Cloudflare announces your IPs (an IP address range you lease/own) in all of our locations ↗.
- Static IP addresses: Cloudflare sets static IP addresses for your domain. For more details, contact your account team.
Business and Enterprise customers can also reduce the number of Cloudflare IPs that their domain shares with other Cloudflare customer domains by uploading a Custom SSL certificate.
Cloudflare's IP ranges do not change frequently. When they do change, they are added to our list of IP ranges ↗ before being put into production. You can also use the Cloudflare API to programmatically keep your configuration updated.