Back to Integrations

Cloudflare WAF Integration

Block requests from ipinsights.io blocklisted IPs at Cloudflare's edge using a managed IP list and a single Custom WAF rule.

Overview

Cloudflare's IP Lists let you store up to 10,000 entries per list (Pro plan) and reference them from a Custom WAF rule. We'll create the list, upload the ipinsights.io blocklist via the API, and build a Custom Rule that blocks any request where ip.src matches.

Prerequisites

  • A Cloudflare account with at least a Pro plan (Custom Rules + IP Lists)
  • A Cloudflare API token with the Account → Account Filter Lists → Edit permission
  • Your Cloudflare account ID (Dashboard → right sidebar)
  • curl and jq on the host that will run the sync

Step 1 — Create the IP List

In the Cloudflare dashboard go to Manage Account → Configurations → Lists and click Create new list. Use:

Name ipinsights_block Description IP Insights global blocklist Type IP address

Step 2 — Sync Script

Create /usr/local/bin/ipinsights-cf-sync.sh:

#!/usr/bin/env bash # ipinsights-cf-sync.sh — refresh a Cloudflare IP List from the IP Insights blocklist set -euo pipefail CF_API_TOKEN="${CF_API_TOKEN:?missing}" CF_ACCOUNT_ID="${CF_ACCOUNT_ID:?missing}" CF_LIST_ID="${CF_LIST_ID:?missing}" # the UUID from the URL after creating the list FEED_URL="https://ipinsights.io/downloads/blocklist.txt" MAX_ITEMS=10000 # Pro plan ceiling; raise on Business/Enterprise API="https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/rules/lists/${CF_LIST_ID}" # Build the JSON payload: [{"ip":"1.2.3.4"},…] BODY=$(curl -fsSL --max-time 30 "$FEED_URL" \ | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' \ | head -n "$MAX_ITEMS" \ | jq -R 'select(length > 0) | {ip:.}' \ | jq -s '.') # Replace (PUT) replaces the list contents atomically curl -fsS -X PUT "$API/items" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ --data "$BODY" | jq '.success, .result.operation_id'
sudo install -m 0750 /tmp/ipinsights-cf-sync.sh /usr/local/bin/ipinsights-cf-sync.sh sudo install -m 0640 /tmp/cloudflare.env /etc/ipinsights-cf.env # CF_API_TOKEN, CF_ACCOUNT_ID, CF_LIST_ID

Run it once manually to populate the list, then schedule it hourly via cron or systemd.

Step 3 — Create the Custom Rule

Open Your Zone → Security → WAF → Custom rules and add:

Rule name Block IP Insights blocklist Expression (ip.src in $ipinsights_block) Action Block

Move the rule to the top of the list so it short-circuits before any allow rules. For lower false-positive risk on a public site, use Managed Challenge instead of Block.

Step 4 — Verify

  • Open the list in the dashboard and confirm the item count.
  • Open Security → Events and filter by your rule name to see live blocks.
  • From a known-bad IP (use a Tor exit you just looked up on our lookup tool) confirm a 403 is returned.

Notes & Limits

  • Plan limits: Pro → 10,000 items per list. Use the CIDR-aggregated feed at https://ipinsights.io/downloads/blocklist-cidr.txt if you hit the cap.
  • Cloudflare's API rate limit (1,200 / 5 min per token) is more than enough for hourly syncs.
  • If you also use Cloudflare Workers, see the Workers integration for live, per-request enrichment.

API Key: No ipinsights.io API key is needed for the public blocklist. You only need an ipinsights.io key for the live lookup API used by the Workers integration.

Request Higher API Limit

Running a high-volume Cloudflare WAF deployment? If the default rate limit isn't enough for your environment, submit a request below and we'll review it.

Maximum 5,000 characters.