UFW Setup - Cloudflare IPs and apt-get and SSH

January 26, 2017 249 views
Security Ubuntu 16.04


I'm a little unsure on how to handle this:

I have a Dokku droplet which sits behind my Cloudflare. Now I want to whitelist only cloud flare IPs to access that droplet, however I also need to be able to SSH into that droplet (from anywhere I may be, so a fixed IP isn't possible), need to be able to push code to my dokku master and I would also like things like apt-get to work without causing an issue.

So, are these the ports I need to allow - and would Cloudflare only need 443 (as I'm using Full Strict SSL on their side)


Or do i also need port 80? As surely my node app, when doing a build may require things from npm?

A little confused. It just feels like there's not much I can do. I don;t see the point of even adding those Cloudflare IPs, if say something like NPM would require port 80 from anywhere.


2 Answers

If you use a stateful firewall you will have no trouble with outgoing connections despite blocked ports.


If you setup ufw with a default policy to deny incoming connections and selectively add the ports that you want to allow incoming connections on, you shouldn't need to be too specific or restrictive.

Before enabling ufw, running:

sudo ufw default deny

Sets a policy to deny all incoming connections. We then extend the rule set by allowing connection to ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).

sudo ufw allow 22/tcp \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp

With those rules, only incoming connections on those ports will be permitted.

You really don't want to disable incoming connections on Port 80. You should, instead, redirect those connections to Port 443 using a 301 or similar redirect. By blocking Port 80, you won't be able to use redirects, so if someone visits:

They aren't going to see anything, instead, they'll receive a failure to connect. What should happen is that when someone visits

... they get redirected to

That being said, the above rules will allow you to use apt-get, whether it's to update, upgrade, install, remove or purge a package or multiple packages.

As far as CloudFlare goes, there's no reason to specifically only allow connections from their IP's or IP ranges. As long as SSL is properly setup and working, and you have your redirects in place, all connections will connect over SSL.

Have another answer? Share your knowledge.