Dakota ClumLocking down access by IP address is a common and effective security practice. On Windows servers running IIS, the IP Address and Domain Restrictions feature has long been the go-to tool for allowing or denying traffic at the server or site level.
But if your site sits behind Cloudflare, that familiar approach can suddenlyโand confusinglyโstop working.
Hereโs why it happens, whatโs really going on under the hood, and how to do it the right way.
The Problem: โI Allowed My IPโฆ Why Am I Getting 403 Forbidden?โ
A customer recently ran into this exact issue:
- They configured IIS to allow only specific IPv4 addresses
- The rule was applied at the server level
- Their own IP address was explicitly allowed
Yet every request resulted in a 403 Forbidden errorโeven when browsing directly from the allowed IP.
If youโve ever stared at IIS convinced you didnโt misconfigure anything, youโre probably right.
ColdFusion + IIS + Cloudflare: Why This Matters Even More
If youโre running Adobe ColdFusion on IIS, this issue isnโt just academicโitโs operational.
ColdFusion applications frequently expose:
- Internal APIs
- Scheduled tasks
- Legacy endpoints that were never designed for public access
Many ColdFusion teams rely on IIS IP Address and Domain Restrictions as a first line of defense to protect these surfaces. When Cloudflare is added in front, that protection silently stops workingโoften without anyone realizing it.
The result is a dangerous false assumption:
โOur ColdFusion application and internal routes are IP-restricted.โ
Behind Cloudflare, they arenโtโunless the restriction is enforced at the Cloudflare layer.
Thatโs why ColdFusion environments benefit disproportionately from:
- Cloudflare Security Rules for IP allow/deny
- Explicit edge-level access control for admin paths
- Hosting providers who understand how ColdFusion, IIS, and Cloudflare interact in real deployments
๐ If youโre running ColdFusion in production and want these controls configured correctly from day one, this is exactly what we handle with our managed ColdFusion hosting.
The Root Cause: Cloudflare Masks the Real Client IP
When Cloudflare is enabled in proxied mode (the orange cloud), it acts as a reverse proxy:
- The visitor connects to Cloudflare
- Cloudflare connects to your origin server
- IIS only sees Cloudflareโs IP, not the visitorโs
The visitorโs real IP address is passed in a custom HTTP header:
CF-Connecting-IP
Hereโs the key issue:
IIS IP Address and Domain Restrictions does not read HTTP headers by default.
It only evaluates the source IP of the TCP connection, whichโbehind Cloudflareโis always a Cloudflare IP.
So when you โallowโ your own IP in IIS:
- IIS never sees it
- The request never matches
- Access is denied
This is expected behavior, not a bug.
The Fix: Use Cloudflare Security Rules
If your site is behind Cloudflare, IP-based access control must live at the Cloudflare layer, not in IIS.
Cloudflare evaluates the visitorโs true IP address before traffic ever reaches your server.
How to Do It
- Log in to Cloudflare
- Go to Security โ WAF โ Custom Rules
- Create a rule that:
- Allows requests
- When IP Source Address is in your approved IP list
- (Optional but recommended) Add a block-all rule below it
This ensures:
- Only approved IPs reach your server
- IIS never sees unwanted traffic
- Your origin remains fully shielded
Cloudflareโs official documentation walks through this in detail:
๐ https://developers.cloudflare.com/waf/tools/ip-access-rules/create/
