When your website is protected by Deflect, any DNS queries directed at your domain name will be resolved with Deflect’s Edge IP, rather than your original IP. This process enables traffic to pass through the Deflect edge before reaching your origin server, a setup known as reverse-proxy.
While your origin IP remains hidden, it is strongly advised (but not required) to enhance the security of your origin server by permitting only the traffic from Deflect edge IP and blocking all other HTTP(S) traffic. This measure guarantees that only traffic passing through Deflect’s protection system can reach your edge, preventing unwarranted visitors or DDoS attacks directly against your origin server.
Obtain Deflect Edge IP via Deflect API #
Deflect Edge IP updates from time to time, you can always obtain the latest IP list by using the API below.
curl --header 'Authorization: Bearer <key>' https://dashboard.deflect.network/api/integration/edge_ip_list*Please contact Deflect support to obtain the API key
Allowlist Deflect Edge IP #
To guarantee correct firewall configuration and sufficient protection, it must be configured at the server level, not at application levels such as WordPress.
Shared Hosting #
If your server is hosting with a shared hosting provider, contact your provider or login to your provider control panel (for example: cPanel) and locate the firewall settings.
- Set all Deflect Edge IP as allowlist
- Set any other trusted IP (such as a fixed IP of the web admin, or a fixed VPN IP you often use) as allowlist
- Block all HTTP (port 80) and HTTPS (port 443) traffic except the allowlisted IP
VPS or self-managed server #
If you are operating a VPS server or managing your own server, please access your server and adjust the firewall settings. For instance, in a Unix-like system, you need to modify the iptables or ufw configurations.
Caution! Always review your configuration prior to enabling it. Particularly when you aim to block all traffic, it’s crucial to at least allow SSH to avoid risking being locked out of your server.
Example ufw commands (do not copy-and-paste)
# Allow HTTP and HTTPS from allowlisted IP
sudo ufw allow from <Deflect Edge IP> to any port 80 proto tcp
sudo ufw allow from <Deflect Edge IP> to any port 443 proto tcp
# Deny all other HTTP and HTTPS traffic
sudo ufw deny 80/tcp
sudo ufw deny 443/tcp
# Check status before enable
sudo ufw status numbered
# Enable ufw
#sudo ufw enableUpdating Deflect Edge IP Monthly #
We recommend setting up an automated process to pull from the Deflect API and update your firewall accordingly.
However, we know that not every hosting provider offers such automation. So we recommend to carry out a monthly review to update your firewall with any missing Deflect Edge IP addresses.
