If they allowlist Cloudflare IP addresses, they should be careful that list only includes the IPs of the caching servers, and not of the exit nodes for the free WARP VPN service.

These both share the same AS number, I think. I’m not sure if Cloudflare segregates WARP traffic or publishes a list of WARP exit IP addresses.

Aside: It’s not that simple of a problem, is it? Because there’s also CF workers, which execute on caching servers and can therefore send outbound requests with the IP of the caching server. (That said, I don’t know the details of this routing config, although I’m now curious to test it.)

Anyway, I think an IP allowlist is probably the most crude starting point - I’m pretty sure CF has some products that are better suited for it (mTLS maybe, and that server side WARP VPN product they had at some point - I’m not up to date on this).

Yes, my comment was oversimplified, it would be a bad idea not to coordinate with CF on a measure like this.

Yeah, mostly your comment just got me curious about the details.

It’s interesting how it’s basically the same problem as securing an onion service (how to ensure no route to the machine on the clearnet).