DigitalOcean

Report this

What is the reason for this report?
Question

UFW Setup - Cloudflare IPs and apt-get and SSH

Posted on January 26, 2017
Security
Ubuntu 16.04
psmod2

By psmod2

Hi,

I’m a little unsure on how to handle this:

I have a Dokku droplet which sits behind my Cloudflare. Now I want to whitelist only cloud flare IPs to access that droplet, however I also need to be able to SSH into that droplet (from anywhere I may be, so a fixed IP isn’t possible), need to be able to push code to my dokku master and I would also like things like apt-get to work without causing an issue.

So, are these the ports I need to allow - and would Cloudflare only need 443 (as I’m using Full Strict SSL on their side)

22 443 2375 2376

Or do i also need port 80? As surely my node app, when doing a build may require things from npm?

A little confused. It just feels like there’s not much I can do. I don;t see the point of even adding those Cloudflare IPs, if say something like NPM would require port 80 from anywhere.

Regards.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Woet
Woet
January 26, 2017

If you use a stateful firewall you will have no trouble with outgoing connections despite blocked ports.

0
Jonathan Tittle
Jonathan Tittle
January 26, 2017

@psmod2

If you setup ufw with a default policy to deny incoming connections and selectively add the ports that you want to allow incoming connections on, you shouldn’t need to be too specific or restrictive.

Before enabling ufw, running:

sudo ufw default deny

Sets a policy to deny all incoming connections. We then extend the rule set by allowing connection to ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).

sudo ufw allow 22/tcp \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp

With those rules, only incoming connections on those ports will be permitted.

You really don’t want to disable incoming connections on Port 80. You should, instead, redirect those connections to Port 443 using a 301 or similar redirect. By blocking Port 80, you won’t be able to use redirects, so if someone visits:

http://yoursite.com

They aren’t going to see anything, instead, they’ll receive a failure to connect. What should happen is that when someone visits

http://yoursite.com

… they get redirected to https://yoursite.com.

That being said, the above rules will allow you to use apt-get, whether it’s to update, upgrade, install, remove or purge a package or multiple packages.

As far as CloudFlare goes, there’s no reason to specifically only allow connections from their IP’s or IP ranges. As long as SSL is properly setup and working, and you have your redirects in place, all connections will connect over SSL.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.