Restricting direct access to your website (Incapsula's IP addresses)

Created at:
Avatar
Updated

To ensure that traffic to your website passes through Incapsula, you can limit access to it from non Incapsula IP addresses.

In order to do this, a set of rules should be applied to your firewall (or to your .htaccess files) that will block all traffic coming from non-Incapsula IP addresses.

Here is a list of IP address ranges that are used by Incapsula:

199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
45.60.0.0/16
45.223.0.0/16

2a02:e980::/29

We have converted the above values to simple IP ranges for your convenience:

199.83.128.1 - 199.83.135.254
198.143.32.1 - 198.143.63.254
149.126.72.1 - 149.126.79.254
103.28.248.1 - 103.28.251.254
185.11.124.1 - 185.11.127.254
45.64.64.0 - 45.64.67.255
192.230.64.1 - 192.230.127.254
107.154.0.0 - 107.154.255.254
45.60.0.1 - 45.60.255.254
45.223.0.1 - 45.223.255.254
 

2a02:e980:0:0:0:0:0:0 - 2a02:e987:ffff:ffff:ffff:ffff:ffff:ffff

 

This list may change from time to time. We recommend that you subscribe to this item to receive notifications on any future updates. Important Notes:

- If you create such IP restrictions, make sure to back them up if you disable Incapsula on your site or revert your DNS to its original settings.

- Please pay attention to the /21 and /22 networks: For example, the proper range for 149.126.72.0/21 will be 149.126.72.0 - 149.126.79.254

 

These ranges can be retrieved via API using the following URL:

https://my.incapsula.com/api/integration/v1/ips with parameter resp_format

This will determine the format of the output from one of the following:  json | apache | nginx | iptables | text

(for example: curl -k -s --data "resp_format=apache" https://my.incapsula.com/api/integration/v1/ips)

 

If you do not have access to a network firewall, check out solutions for:

Apache (.htaccess):

order deny,allow
deny from all
allow from 199.83.128.0/21
allow from 198.143.32.0/19
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 185.11.124.0/22
allow from 45.64.64.0/22
allow from 192.230.64.0/18
allow from 107.154.0.0/16
allow from 45.60.0.0/16
allow from 45.223.0.0/16
allow from 2a02:e980::/29

http://support.incapsula.com/entries/20716913-setting-up-htaccess-restrictions

 

Nginx:

Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address. 

location / {
# allow Incapsula
allow 199.83.128.0/21;
allow 198.143.32.0/19;
allow 149.126.72.0/21;
allow 103.28.248.0/22;
allow 185.11.124.0/22;
allow 45.64.64.0/22;
allow 192.230.64.0/18;
allow 107.154.0.0/16;
allow 45.60.0.0/16;
allow 45.223.0.0/16;
allow 2a02:e980::/29;

# drop rest of the world
deny all;
}


IPtables: 

#Incapsula proxies access restriction
#Allow HTTP (port 80) from Incapsula
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport http -j ACCEPT

#Block HTTP from other sources
iptables -A INPUT -p tcp --dport http -j DROP

#Allow HTTPS (port 443) from Incapsula
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport https -j ACCEPT

#Block HTTPS from other sources
iptables -A INPUT -p tcp --dport https -j DROP

 

 

Updated to 2016.

Was this article helpful?
55 out of 56 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    uri

    The range 149.126.72.0/21 was added to the Incapsula IP ranges.

  • Avatar
    uri

    Added a new IP for our new Tokyo PoP.

  • Avatar
    uri

    we have added APNIC range : 103.28.248.0/22

  • Avatar
    gregraven

    Why not set up a page that is always up to date, where clients can cut-and-paste the exact information needed for the .htaccess file?

  • Avatar
    gregraven

    For that matter, Incapsula already has a WordPress plug-in to sort out the IP confusion that happens with services such as this. Why not add a feature to this plug-in to write to .htaccess with the current whitelist?

  • Avatar
    gregraven

    order deny,allow

    deny from all

    allow from 199.83.128.0/21

    allow from 149.126.72.0/21

    allow from 103.28.248.0/22

    allow from 194.90.228.56/29

    allow from 46.51.174.78

    allow from 184.73.240.163

    allow from 122.248.247.129

    allow from 173.203.97.38

    allow from 79.125.118.62

    allow from 176.32.89.123

  • Avatar
    show

    if you use nginx, make sure you have the realip module, and add this to nginx.conf :

     

            set_real_ip_from 199.83.128.0/21;

            set_real_ip_from 149.126.72.0/21;

            set_real_ip_from 103.28.248.0/22;

            set_real_ip_from 194.90.228.56/29;

            set_real_ip_from 46.51.174.78;

            set_real_ip_from 184.73.240.163;

            set_real_ip_from 122.248.247.129;

            set_real_ip_from 173.203.97.38;

            set_real_ip_from 79.125.118.62;

            set_real_ip_from 176.32.89.123;

            real_ip_header X-Forwarded-For;

  • Avatar
    uri

    A major update:

    •  removed the 194.90.228.56/29 range

    • removed many of the single IPs (184.73.240.163, 173.203.97.38, 176.32.89.123)

    • Added additional IPs : 50.16.241.95, 50.16.241.176, 184.169.135.107, 184.169.135.111, 46.137.108.0, 46.51.168.190, 79.125.110.134

  • Avatar
    Jody Gilbert

    Hi,

     Thanks for the update, it possible to be notified prior to these changes being implemented so we can schedule the change at our end without affecting access to our sites?

     Cheers!

  • Avatar
    alex b

    Hi, I second last comment. Can we get an early notification? we must notify our customers of the change as they restrict the destination IPs.

  • Avatar
    andrea di michele

    iptables allow host

    tcp:in:d=80:s:199.83.128.0/21

    tcp:in:d=80:s:149.126.72.0/21

    tcp:in:d=80:s:103.28.248.0/22

    tcp:in:d=80:s:46.51.174.78

    tcp:in:d=80:s:122.248.247.129

    tcp:in:d=80:s:50.16.241.95

    tcp:in:d=80:s:50.16.241.176

    tcp:in:d=80:s:184.169.135.107

    tcp:in:d=80:s:184.169.135.111

    tcp:in:d=80:s:46.137.108.0

    tcp:in:d=80:s:46.51.168.190

    tcp:in:d=80:s:79.125.110.134

    tcp:in:d=80:s:79.125.118.62 

     

    ;)

  • Avatar
    uri

    Hi,

     

    Few updates:

    1. An additional range was added : 198.143.32.0/19  This range will become active on** June 1st. **(for those who requested early notification :))

    2. As several people have provided specific configurations for htaccess, nginx and iptables, I've incorporated them into the article and will keep them updated going forward. Thank you for all the contributors!!

     

    Have Fun.

  • Avatar
    Warren Meyer

    I am sorry if this is a staggeringly noob question, but if I lock down ht access to allow only traffic from incapsula, I presume this will block my ftp access to the site (unless I ftp from the same IP and whitelist that as well).  Correct?  Or is there a way to block http calls but not ftp?

  • Avatar
    Jitendra Dhamani

    Websites: Port 80 Blocked after htaccess allow only traffic from incapsula,

    FTP: Port 20, 21 Accessible by everyone

  • Avatar
    uri

    Hi to all followers :)

     

    Please note that we have added another range : 185.11.124.0/22

    Please make sure to update your firewall rules.

  • Avatar
    zzzzzzz

    We are using Dome9 with Incapsula and they have something called Magic-IP for Incapsula and it dynamically configures our servers to accept traffic only from Incapsula. They keep updating their Incapsula list when Incapsula changes, so we don't have to worry about it. and we use them to block phpmyadnin and ssh to our servers as well

  • Avatar
    uri

    Hello all,

     

     

    We have decide to remove all the single IPs which were used by some of our old POPs.

    I have updated the list and the sample configurations accordingly. You can find it in the article at the top of the discussion thread.

    for your convenient, here is the complete list of IPs used by Incapsula's POPs:

    199.83.128.0/21

    198.143.32.0/19

    149.126.72.0/21

    103.28.248.0/22


    185.11.124.0/22

     

  • Avatar
    eitanc

    Hi,

    I wish to suggest that this list of IP addresses will be stored in a fixed HTTPS (for validation) URL at the Incapsula site, as a structured file format, like CSV, XML, JSON or whatever, so clients will have the option to customize their back-end systems usage of this input, based on this list constantly and automatically, even if the list changes - not needing to relay on notifications from this thread and then manually adjust changes.

    Eitan

  • Avatar
    TheWYSIWYGGroup

    Too hard to keep up with IP ranges - it's like another job.

  • Avatar
    Yoav1987

    Tips: don't forget to add the ip to all you .htaccess (root, forum, other folders).

    #Incapsula

    order deny,allow

    deny from all

    allow from  199.83.128.0/21

    allow from  198.143.32.0/19

    allow from  149.126.72.0/21

    allow from  103.28.248.0/22

    allow from  185.11.124.0/22

  • Avatar
    chris Angel o

    PLEASE ALLOW ME ACCESS TO GET INTO MY  ACCOUNT I CAN NOT GET INTO MY ACCOUNT .IT HAS BEEN BLOCKED.

  • Avatar
    ming

    There are no suitable Chinese nodes?

  • Avatar
    asieira

    If you are behind a proxy or load-balancer and use Apache, the aforementioned code won't work since you need to look for the X-FORWARDED-FOR HTTP header instead of the actual IP address originating the connection. In that case, you could use mod_rewrite like so:

    Turn on rewrite engine, only needed once

    RewriteEngine On

    Limit IP addresses to those from Incapsula

    --> http://support.incapsula.com/entries/20199668-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses-

    199.83.128.1 - 199.83.135.254

    RewriteCond %{HTTP:X-Forwarded-For} !199.83.1(2[89]|3[0-5]).[0-9]{1,3}$

    198.143.32.1 - 198.143.63.254

    RewriteCond %{HTTP:X-Forwarded-For} !198.143.(3[2-9]|[45][0-9]|6[0-3]).[0-9]{1,3}$

    149.126.72.1 - 149.126.79.254

    RewriteCond %{HTTP:X-Forwarded-For} !149.126.7[2-9].[0-9]{1,3}$

    103.28.248.1 - 103.28.251.254

    RewriteCond %{HTTP:X-Forwarded-For} !103.28.2(4[89]|5[01]).[0-9]{1,3}$

    185.11.124.1 - 185.11.127.254

    RewriteCond %{HTTP:X-Forwarded-For} !185.11.12[4-7].[0-9]{1,3}$

    Fail

    RewriteRule .* - [L,F]

     

    Ideally you should still add client IP restrictions to ensure the connections are all originating from the expected proxy/load balancer as well, since X-FORWARDED-FOR headers can be spoofed by a malicious client that is able to connect directly to the web server.

  • Avatar
    cadovn

    how do I do with iis 7.5 of window 2008 r2 standard 64bit server ,

    Thanks,

  • Avatar
    Mat Timpug

    Hopefully you guys do something like the cloudflare did at https://www.cloudflare.com/ips-v4 so we can set up a cron job or something that will fetch the ip lists automatically for whitelist.

  • Avatar
    Samuel Aguilera

    Maybe this list is getting obsolete?

    I'm receiving visits to my site from 198.143.38.* and 198.143.39.* ranges not listed in the above list.

    It would be a very handy resource to have something like proposed by min0taur.

  • Avatar
    zzzzzzz

    wphost  - I agree with you. how are you restricting the access to your server today?

     

  • Avatar
    Rod

    wphost,

    I was going to wait for support to respond to you, but the last comment has prompted me to go ahead and chime in.  

    I am a customer and I am subscribed to this page to monitor changes.  While this is not automated to update my firewall rules, the changes seem to be infrequent, and I get an email about any changes or posts to this page.  There is a subscribe link at the top right of the page. 

    The ranges stated above include 198.143.32.0/19 which is a superset of the ranges that you mention (198.143.38.* and 198.143.39.* )

    198.143.32.0/19  includes all IPs between 198.143.32.1 - 198.143.63.254 (32 Class C networks)

    Another way to state it is 198.143.32.0 with a netmask of 255.255.224.0 .

    You should make sure that you have the netmask correct in your rules.

    I hope this helps.

    Rod

     

     

  • Avatar
    froyke

    Just note that there is no need for you to manually track this page and update all your servers if you use dome9.com. There is a Magic IP for Incapsula (as well as for CloudFlare) that will push the relevant configuration to your iptables or Windows firewall. 

  • Avatar
    tfs615

    follow

Powered by Zendesk