How to block direct access to Cloudflare protected sites with .htaccess
Require visitors to use Cloudflare to access your site. IPs correct as of 23rd Oct 2020.
Using Cloudflare allows you to protect your site with products such as Cloudflare Access, or Cloudflare firewall rules, and Cloudflare DDoS protection. When Cloudflare protection is enabled, DNS queries for your domain will show Cloudflare IP addresses instead of your server’s real one. However, if somebody knows your server’s IP address they can bypass any of the protection you put in place. As mentioned earlier, we’d recommend a better method of forcing all users to come via Cloudflare, but this method may be the only option for shared hosting customers.
Update 2021.04.08: List updated. 184.108.40.206/12 removed, 220.127.116.11/13 and 18.104.22.168/14 added.
To require visitors to be accessing your site via Cloudflare, add this to the
.htaccess file at the root of your site (you can add your own IP address to the list to allow yourself to bypass Cloudflare, just add a new line before
Require ip <your IP>):
<FilesMatch .*> Require ip 22.214.171.124/20 Require ip 126.96.36.199/22 Require ip 188.8.131.52/22 Require ip 184.108.40.206/22 Require ip 220.127.116.11/18 Require ip 18.104.22.168/18 Require ip 22.214.171.124/20 Require ip 126.96.36.199/20 Require ip 188.8.131.52/22 Require ip 184.108.40.206/17 Require ip 220.127.116.11/15 Require ip 18.104.22.168/13 Require ip 22.214.171.124/14 Require ip 126.96.36.199/13 Require ip 188.8.131.52/22 Require ip 2400:cb00::/32 Require ip 2606:4700::/32 Require ip 2803:f800::/32 Require ip 2405:b500::/32 Require ip 2405:8100::/32 Require ip 2a06:98c0::/29 Require ip 2c0f:f248::/32 </FilesMatch>