Posted inPlesk

Easy way to whitelist Cloudflare IP’s in Plesk Firewall

March 16, 2019Posted inPlesk
Easy way to whitelist Cloudflare IP’s in Plesk Firewall

Today we had a client who wanted us to whitelist Cloudflare IP’s on thirteen of his Plesk-Onyx servers. If you have installed and enabled the Plesk Firewall extension. Then you can whitelist those IP ranges from Plesk >> Tools & Settings >> Firewall (Under Security) >> Modify Plesk Firewall Rules >> Add Custom Rule >> Name the rule to “Cloudflare IPs”, add port 80 and 443, add the entire list of Cloudflare IP’s and save and apply it. But this method will be very time consuming and inefficient if you have do it on thirteen Plesk servers. As a system administrator you will have have to find faster and efficient way to get these things done. Fortunately Plesk also provides a command line tool to manage the firewall

/usr/local/psa/bin/modules/firewall/settings --help

We can use this tool to whitelist the IP’s fast. First of all SSH to the server as root and add the cloudflare IP ranges https://www.cloudflare.com/ips/

[root@srv ~]#/usr/local/psa/bin/modules/firewall/settings -s -name 'Cloudflare IPs' -direction input -action allow -ports '80/tcp,443/tcp' -remote-addresses "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"

Firewall rule was successfully created; rule id: '583'.

After that apply the rules

[root@srv ~]# /usr/local/psa/bin/modules/firewall/settings -a
Firewall rules were successfully activated, use --confirm command within 60 second(s) to confirm activation, otherwise all changes will be rolled back.

Now you will have to run the confirm command within 60 seconds else it will be rolled back. But the confirm command has to be run in a new shell. Running the command in same shell gives error. So make a new SSH connection to the server and run the confirm command.

[root@srv ~]# /usr/local/psa/bin/modules/firewall/settings -c
Firewall rules were successfully confirmed.

Voila! you are done.

Last updated on November 22, 2019