hryha/do-cf-sync

Sync Cloudflare IP ranges into a DigitalOcean Firewall (ingress rules)

Maintainers

Details

github.com/vaniok010/do-cf-sync

Homepage

Source

Issues

Installs: 1

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 0

Type:project

pkg:composer/hryha/do-cf-sync

1.0.0 2025-12-17 12:30 UTC

Requires

Requires (Dev)

MIT 5090ce1e1fba2824056a884ac8123da751960c49

  • Ivan Hryha <kobluchka.woop@gmail.com>

cloudflareDigitalOcean Firewall

This package is auto-updated.

Last update: 2025-12-17 12:33:34 UTC

README

Latest Version on Packagist PHP Version Software License

This small PHP utility syncs the current list of Cloudflare IP ranges into a specified DigitalOcean Firewall as inbound rules. It runs as a CLI script and is intended to be scheduled daily via cron.

What it does

  • Fetches Cloudflare IP ranges (both IPv4 and IPv6) from the official Cloudflare API.
  • Updates the target DigitalOcean Firewall to allow inbound TCP traffic on configured ports (default: 80 and 443) from those Cloudflare ranges.
  • Preserves your other firewall rules. It only replaces previously-added Cloudflare rules for the same ports.

Requirements

  • PHP 8.2+
  • Composer
  • A DigitalOcean Personal Access Token with write access to Firewalls
  • An existing DigitalOcean Firewall ID you want to update

Installation

  1. Clone or copy this repository to your server.
  2. Install dependencies: 
    composer install --no-dev --optimize-autoloader
  3. Configure environment variables. Copy .env.example to .env and fill values: 
    DO_TOKEN="your_digitalocean_api_token_here"
DO_FIREWALL_ID="your_firewall_id_here"
# Optional: comma-separated list of TCP ports to allow from Cloudflare
PORTS="80,443"
# Optional: add extra CIDRs (IPv4/IPv6) to allow in addition to Cloudflare ranges
EXTRA_CIDRS="8.8.8.8/32,2001:db8::/32"
  4. Add a daily cron job (every day at 02:15): 
    15 2 * * * /usr/bin/php /path/to/project/bin/sync.php >> /var/log/do-cf-sync.log 2>&1