This is a sub-article. To go back to the main article, click here.

If you use Terraform, I highly recommend this module which simplifies the firewall deployment process.

For DigitalOcean, follow these steps for firewalling Cloudflare:

Via Web interface:

  1. go to Networking -> Firewalls ->new (or click this link)
  2. For the name, enter something like "Cloudflare"
  3. remove all of the default inbound and outbound rules
  4. create a new inbound rule for HTTPS
  5. in the "sources" box, delete the existing entries
  6. go to https://cloudflare.com/ips and copy-and-paste every single IP range (v4 and v6) into the sources box individually. Do this for any other ports you may want to use with Cloudflare.

I understand adding all of the Cloudflare IPs manually may be tedious, but this is a limitation of DigitalOcean.

After that, feel free to apply it to droplets and create the firewall.

Via command line:

doctl compute firewall create --name cloudflare --inbound-rules protocol:tcp,ports:443,address:173.245.48.0/20,address:103.21.244.0/22,address:103.22.200.0/22,address:103.31.4.0/22,address:141.101.64.0/18,address:108.162.192.0/18,address:190.93.240.0/20,address:188.114.96.0/20,address:197.234.240.0/22,address:198.41.128.0/17,address:162.158.0.0/15,address:104.16.0.0/12,address:172.64.0.0/13,address:131.0.72.0/22,address:2400:cb00::/32,address:2606:4700::/32,address:2803:f800::/32,address:2405:b500::/32,address:2405:8100::/32,address:2a06:98c0::/29,address:2c0f:f248::/32