UFW Setup - Cloudflare IPs and apt-get and SSH


I’m a little unsure on how to handle this:

I have a Dokku droplet which sits behind my Cloudflare. Now I want to whitelist only cloud flare IPs to access that droplet, however I also need to be able to SSH into that droplet (from anywhere I may be, so a fixed IP isn’t possible), need to be able to push code to my dokku master and I would also like things like apt-get to work without causing an issue.

So, are these the ports I need to allow - and would Cloudflare only need 443 (as I’m using Full Strict SSL on their side)

22 443 2375 2376

Or do i also need port 80? As surely my node app, when doing a build may require things from npm?

A little confused. It just feels like there’s not much I can do. I don;t see the point of even adding those Cloudflare IPs, if say something like NPM would require port 80 from anywhere.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.


If you setup ufw with a default policy to deny incoming connections and selectively add the ports that you want to allow incoming connections on, you shouldn’t need to be too specific or restrictive.

Before enabling ufw, running:

sudo ufw default deny

Sets a policy to deny all incoming connections. We then extend the rule set by allowing connection to ports 80 (HTTP), 443 (HTTPS), and 22 (SSH).

sudo ufw allow 22/tcp \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp

With those rules, only incoming connections on those ports will be permitted.

You really don’t want to disable incoming connections on Port 80. You should, instead, redirect those connections to Port 443 using a 301 or similar redirect. By blocking Port 80, you won’t be able to use redirects, so if someone visits:

They aren’t going to see anything, instead, they’ll receive a failure to connect. What should happen is that when someone visits

… they get redirected to

That being said, the above rules will allow you to use apt-get, whether it’s to update, upgrade, install, remove or purge a package or multiple packages.

As far as CloudFlare goes, there’s no reason to specifically only allow connections from their IP’s or IP ranges. As long as SSL is properly setup and working, and you have your redirects in place, all connections will connect over SSL.

If you use a stateful firewall you will have no trouble with outgoing connections despite blocked ports.