We couldn’t get this to work. Kept getting a 403. We tried moving “deny all;” around and we even tried breaking up the two files and still wouldn’t work.
We are on AWS and realized we can manage using the security group to allow and deny. This is working for us right now.
Appreciate the help though. I think a nice-to-have for those on Cloudflare is an option to turn on to whitelist only Cloudflare IPs through the method above. Perhaps an admin checkbox. It makes a lot of sense and great addition for security. And honestly a nice selling point!
Next thing we need to solve though… our IP is still showing up in emails. We are using SparkPost as our email vendor so we are scratching our heads why it’s still showing.