This is a sub-article. To go back to the main article, click here.
If you use Terraform, I highly recommend this module which simplifies the firewall deployment process.
For DigitalOcean, follow these steps for firewalling Cloudflare:
Via Web interface:
- go to Networking -> Firewalls ->new (or click this link)
- For the name, enter something like "Cloudflare"
- remove all of the default inbound and outbound rules
- create a new inbound rule for HTTPS
- in the "sources" box, delete the existing entries
- go to https://cloudflare.com/ips and copy-and-paste every single IP range (v4 and v6) into the sources box individually. Do this for any other ports you may want to use with Cloudflare.
I understand adding all of the Cloudflare IPs manually may be tedious, but this is a limitation of DigitalOcean.
After that, feel free to apply it to droplets and create the firewall.
Via command line:
doctl compute firewall create --name cloudflare --inbound-rules protocol:tcp,ports:443,address:126.96.36.199/20,address:188.8.131.52/22,address:184.108.40.206/22,address:220.127.116.11/22,address:18.104.22.168/18,address:22.214.171.124/18,address:126.96.36.199/20,address:188.8.131.52/20,address:184.108.40.206/22,address:220.127.116.11/17,address:18.104.22.168/15,address:22.214.171.124/12,address:126.96.36.199/13,address:188.8.131.52/22,address:2400:cb00::/32,address:2606:4700::/32,address:2803:f800::/32,address:2405:b500::/32,address:2405:8100::/32,address:2a06:98c0::/29,address:2c0f:f248::/32