Allowing access only from Cloudflare edge server remote IP addresses

1. Caddy version (caddy version):


2. How I run Caddy:


a. System environment:


I am trying to make a Caddyfile for v2 that blocks any HTTP/HTTPS access that does not come from the Cloudflare edge servers. This is to prevent denial of service attacks from malicious parties that find out the true IP address of the server, not the Cloudflare one. I want to use Caddyfile, not iptables or similar, for the blocking as this makes the maintaining the service easier - everything relevant is in one self-contained Caddyfile.

I found ipfilter plugin that seems to be unmaintaned. What is the best practice to block remote addresses that are not on the whitelist with Caddy 2.4.5?

Cloudflare remote IPs are listed here.

Use the remote_ip matcher:

And you can use the abort directive to drop the connections as soon as possible and not respond to the request, if it matches the Cloudflare CIDRs.