Since this issue has come up several times and is never adequately answered I present the problem and solution to the Cloudflare whitelist issue. (Skip to the next message if you just want to cut-n-paste the whitelist; read on if you want to understand how it works)
- The Issue
: Cloudflare (and all network engineers) provide their IP address ranges in CIDR format. But iThemes Security uses the ancient MS-DOS wildcard * to represent a range of IP addresses in their whitelist. (Sidenote: The plugin code has to convert the * wildcard into CIDR format internally before it can be used in the .htaccess file)
The current list of Cloudflare’s IP addresses is here. At the time of this post it looks like this.
126.96.36.199/21 188.8.131.52/20 184.108.40.206/22 220.127.116.11/22 18.104.22.168/22 22.214.171.124/18 126.96.36.199/18 188.8.131.52/20 184.108.40.206/20 220.127.116.11/22 18.104.22.168/17 22.214.171.124/15
But this won’t work in iTheme Security’s whitelist. So it needs to be converted to a format the plug-in will understand. Each number (separated by dots) represent one byte (8 bits) of a 4 byte (24 bit) address. The number after the slash is a “mask” and tells you how many bits, starting from the left, are unchanged in the address range, the rest can be almost anything from 0 to 255(there are a couple of exceptions).
The Problem: The “mask” can overlap parts of each byte in the address, but this plugin only lets you specify an exact value for a byte, or the entire byte as a wild card (any value). So while some people might take the above whitelist and get rid of the slash and the number after it and just change the last zero to an asterisk (e.g. 126.96.36.199/21 => 199.27.128.*) this is not correct either.
There are various online CIDR calculator tools you can use to help you figure out what these ranges mean. Since iThemes Security only allows you to place a wildcard * to cover a full byte, some of these addresses will need to be expanded onto multiple lines in the whitelist. For example 188.8.131.52/21 means all ip addresses from 184.108.40.206 to 220.127.116.11. In iThemes Security format, that address range looks like this…
199.27.128.* 199.27.129.* 199.27.130.* 199.27.130.* 199.27.131.* 199.27.132.* 199.27.133.* 199.27.134.* 199.27.135.*
As you can see, simply changing 18.104.22.168/21 to 199.27.128.* misses a lot of addresses, which could result in CloudFlare being locked out and your web site being inaccessible.
- The topic ‘Whitelist for Cloudflare (in iThemes Security format)’ is closed to new replies.