How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare
Posted: Wed Apr 05, 2023 4:53 pm
This script is modifying the firewall rules on a server using myVesta Control Panel to allow HTTP and HTPS incoming traffic only from Cloudflare IPs.
This is useful when using Cloudflare to protect your website against DDoS attacks (so nobody can flood your site by avoiding CloudFlare, for example, by targeting your server's IP directly).
Here's a step-by-step explanation:
The script searches for a firewall rule (that allows http and https traffic from all IP addresses) in the /usr/local/vesta/data/firewall/rules.conf file and assigns the result to the $rules variable.
It evaluates the content of the $rules variable.
The script suspends the firewall rule by executing the v-suspend-firewall-rule command with found rule number.
Next, the script adds new firewall rules for a list of Cloudflare IP ranges:
It sets the IP range and comment for each Cloudflare IP block (e.g., IP='173.245.48.0/20' COMMENT='CloudFlare_1').
The script calls v-add-firewall-rule command to add a new firewall rule that allows incoming traffic from the specified IP range on ports 80 and 443 using the TCP protocol and adds the corresponding comment.
That way, incoming traffic would be allowed only from Cloudflare IPs for HTTP (port 80) and HTTPS (port 443) services.
Script code:
This is useful when using Cloudflare to protect your website against DDoS attacks (so nobody can flood your site by avoiding CloudFlare, for example, by targeting your server's IP directly).
Here's a step-by-step explanation:
The script searches for a firewall rule (that allows http and https traffic from all IP addresses) in the /usr/local/vesta/data/firewall/rules.conf file and assigns the result to the $rules variable.
It evaluates the content of the $rules variable.
The script suspends the firewall rule by executing the v-suspend-firewall-rule command with found rule number.
Next, the script adds new firewall rules for a list of Cloudflare IP ranges:
It sets the IP range and comment for each Cloudflare IP block (e.g., IP='173.245.48.0/20' COMMENT='CloudFlare_1').
The script calls v-add-firewall-rule command to add a new firewall rule that allows incoming traffic from the specified IP range on ports 80 and 443 using the TCP protocol and adds the corresponding comment.
That way, incoming traffic would be allowed only from Cloudflare IPs for HTTP (port 80) and HTTPS (port 443) services.
Script code:
Code: Select all
rules=$(grep "PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB'" /usr/local/vesta/data/firewall/rules.conf)
eval $rules
/usr/local/vesta/bin/v-suspend-firewall-rule "$RULE"
IP='173.245.48.0/20' COMMENT='CloudFlare_1'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.21.244.0/22' COMMENT='CloudFlare_2'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.22.200.0/22' COMMENT='CloudFlare_3'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.31.4.0/22' COMMENT='CloudFlare_4'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='141.101.64.0/18' COMMENT='CloudFlare_5'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='108.162.192.0/18' COMMENT='CloudFlare_6'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='190.93.240.0/20' COMMENT='CloudFlare_7'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='188.114.96.0/20' COMMENT='CloudFlare_8'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='197.234.240.0/22' COMMENT='CloudFlare_9'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='198.41.128.0/17' COMMENT='CloudFlare_10'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='162.158.0.0/15' COMMENT='CloudFlare_11'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.16.0.0/13' COMMENT='CloudFlare_12'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.24.0.0/14' COMMENT='CloudFlare_13'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='172.64.0.0/13' COMMENT='CloudFlare_14'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='131.0.72.0/22' COMMENT='CloudFlare_15'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"