If your HTTP server is running behind Cloudflare, it is recommended to only allow traffic from Cloudflare IP addresses. We can config this systematically using iptables, as demonstrated in Allowing Cloudflare IP addresses. However, if you have some other service not in front of Cloudflare, it’s also flexible to white list Cloudflare IPs just inside the Nginx service.

To do this, create a /etc/nginx/allow-cloudflare-only.conf configuration file that allows all of Cloudflare IPs:

# https://www.cloudflare.com/ips
# IPv4
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/12;
allow 172.64.0.0/13;
allow 131.0.72.0/22;

# IPv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

deny all; # deny all remaining ips

This configuration file can be generated by this script:

Note that Cloudflare will update its IP addresses, you’d better run this script regularly.

Then, you can include this configuration file in each server block or globally in Nginx. For example, in sites-available/example.com.conf:

server {
  listen 80;
  listen [::]:80;

  include /etc/nginx/allow-cloudflare-only.conf;

  server_name example.com;

  #...the rest of your config here...
}

In this fashion, access the origin from IP addresses other than Cloudflare IPs will give a 403 Forbidden.

More info on ngx_http_access_module which provides the allow/deny to certain client addresses: http://nginx.org/en/docs/http/ngx_http_access_module.html.