Anti-DDOS Blocking CloudFlare IP/Subnet Connections

If you have CloudFlare enabled and are receiving 522 connection errors, then it is possible that LiteSpeed Web Server's (LSWS) anti-ddos settings are causing these connections to be blocked. To get around this, you can whitelist these IPs/subnets by adding them to LSWS's “Allowed List”.

For your reference, CloudFlare IP Ranges are listed here

From the WebAdmin Console, navigate to Configuration > Server and click on the “Security” tab.

Scroll to the bottom of the page. You will see the “Access Control” section which contains the “Allowed List” and “Denied list. Click “Edit” at the top right of this section.

By default, the “Allowed List” will contain “ALL”. In most cases, this allows all IPs/subnets to connect to the server. Since the CloudFlare enabled IPs/subnets are being blocked by LSWS's anti-ddos settings, adding them to this (comma separated) list as trusted IPs/subnets will bypass this blocking.

To do this, simply append a trailing “T” to the IP, subnet, or subnet/netmask and click “Save” at the top right of the “Access Control” section. For example:

ALL,103.21.244.0/22T,103.22.200.0/22T,103.31.4.0/22T,104.16.0.0/12T,108.162.192.0/18T,131.0.72.0/22T,141.101.64.0/18T,162.158.0.0/15T,172.64.0.0/13T,173.245.48.0/20T,188.114.96.0/20T,190.93.240.0/20T,197.234.240.0/22T,198.41.128.0/17T,199.27.128.0/21T

Lastly, you must now perform a graceful restart to update your server. Do this by clicking “Graceful Restart” under the “Actions” menu at the top in the LSWS Web Admin Console.

  • Admin
  • Last modified: 2016/06/29 13:41
  • by Rob Holda