Cloudflare is a very popular CDN & WAF solution, enabling millions of websites to quickly and easily protect their origin server from nasties such as DDOS attacks.
By default, Cloudflare has IPv6 enabled on all sites. This is usually a great feature (we’re running out of IPv4 address space, and IPv6 is a solution to this resource depletion), however sometimes it can cause issues with legacy systems. This article shows you how to disable IPv6 on a Cloudflare site.
Cloudflare don’t want you to disable IPv6. Their help article on the topic is pretty direct:
Why can’t I turn off IPv6?
At Cloudflare we believe in being good to the Internet and good to our customers. By moving on from the legacy world of IPv4-only to the modern-day world where IPv4 and IPv6 are treated equally, we believe we are doing exactly that. In the Cloudflare dashboard, IPv6 is no longer something you can toggle on and off, it’s always just on.
What happens if your origin site breaks because of IPv6? Maybe you have third-party systems that only support IPv6 (e.g. an anti-fraud system stuck in the dark ages).
I got caught out by this when migrating a client’s site to Cloudflare. Everything worked well, except one particular piece of critical functionality failed for some users. It turned out we were passing the user’s IPv6 address to a third-party whom only accepted IPv4. This unexpected data then broke their system, hence breaking ours.
Instead of backing out from the Cloudflare migration project, or engaging in a time consuming process to remove this third-party dependancy, or arguing with support over something they were never going to change… I discovered you can disable IPv6 via the Cloudflare API.
The dashboard may not be helpful, but the API comes to the rescue here. It’s a nice little backdoor, just in case you really really need to get rid of IPv6 on your site.
Step 1: Create an API Key
Before you can use the Cloudflare API, you need to grant yourself an API Key. This can be done on your API Tokens User Profile page.
Press the ‘Create Token’ button, and select ‘Create Custom Token’.
Create a new token with ‘Edit’ access to ‘Zone Settings’. You can also restrict this key to a specific zone.
After saving these settings, you’ll now have access to an alphanumeric API Token. Keep this special code handy for the next step.
Step 2: Run an API Command
This step is easy. You will need CURL installed, and a terminal/command line prompt ready to access.
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/ipv6" -H "Authorization: Bearer <token>" -H "Content-Type: application/json" --data '{"value":"off"}'
In this command, replace <zone_id> with the Zone ID found in your Dashboard (look in the right column of the Overview screen for your site). Replace <token> with the API Key you found in the previous step.
Running this command should now have disabled IPv6 on your site. You can verify this in the Cloudflare dashboard, on the ‘Network’ screen.
You’re done! You are not taking advantage of all the benefits of IPv6, but also you’ve probably saved yourself a lot of work fixing legacy systems.
You should still make a note to fix those systems anyway, so you can eventually turn IPv6 back on.
But for now, you’re all good.
Other Solutions
There may be other solutions which allow you to keep IPv6 enabled, while also circumventing some of the issues you are experiencing.
For example, if you need IPv4 for Geolocation, Cloudflare will send you a country code in the HTTP Header ‘CF-IPCountry’.
Or maybe you need an IPv4 address simply to identify unique clients. Cloudflare has a solution which allows your origin server to receive IPv4 addresses in the Class E space, while still being available via IPv6 to the end-user. These are the two options you can pick from:
- Add header: Add additional Cf-Pseudo-IPv4 header only
- Overwrite headers: Overwrite the existing Cf-Connecting-IP and X-Forwarded-For headers with a pseudo IPv4 address.