Protection - WEDOS IP Addresses - WEDOS Documentation & Knowledge Base

In this article, you will learn:

How WGP affects traffic to your origin server
How to allow WGP IP addresses on your origin server
Examples of how to configure your firewall
Why you should block all other traffic
How to verify your configuration
How to keep the IP list updated
Frequently asked questions

Traffic to your origin server

When your domain is protected by WEDOS Protection (WGP), all web traffic is routed through our proxy network before reaching your origin server. Because of this, your origin server perceives incoming traffic differently:

Real visitor IP addresses cannot be seen directly. Instead, all traffic appears to come from WEDOS Global IP addresses.
Large volumes of requests are coming from a small number of IPs. Security tools (firewalls, hosting protections, plugins) may:
- Block these IPs
- Apply rate limits
- Flag them as suspicious

If your origin server blocks WEDOS Global IP addresses for any reason, your website will become inaccessible to all visitors.

Allow WEDOS Global IP addresses

To ensure your website works correctly, make sure to always allow traffic from WEDOS Global IP ranges on your origin server.

You can find the full list here:

This can typically be configured in:

Your website’s .htaccess file
Server firewall (iptables, ufw, firewalld)
Web server configuration (Apache, Nginx)
Cloud firewall (AWS Security Groups, etc.)

Example Firewall Configurations

The following examples show how to allow incoming traffic on ports 80 and 443 only from WEDOS.global IP ranges. These are starting points and should be adapted to the specific environment, distribution, and existing firewall rules. In all examples, replace the placeholder IP ranges with the current entries from https://ips.wedos.global/ips.json or https://ips.wedos.global/ips.txt.

iptables

# Allow traffic on ports 80 and 443 from WEDOS.global IP ranges
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s 1.2.3.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s 5.6.7.0/24 -j ACCEPT

# Drop all other traffic on ports 80 and 443
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j DROP

For IPv6, use ip6tables with the corresponding IPv6 ranges from the IP list.

nftables

table inet filter {
    set wedos_ips_v4 {
        type ipv4_addr
        flags interval
        elements = { 1.2.3.0/24, 5.6.7.0/24 }
    }

    set wedos_ips_v6 {
        type ipv6_addr
        flags interval
        elements = { 2a02:2b88::/32 }
    }

    chain input {
        type filter hook input priority 0; policy drop;

        tcp dport { 80, 443 } ip saddr @wedos_ips_v4 accept
        tcp dport { 80, 443 } ip6 saddr @wedos_ips_v6 accept
    }
}

Block direct access to your origin

For maximum security, you should also block all other incoming traffic to your web server. The reason for this is if your origin IP address becomes known through historical DNS records, email headers, direct scanning or other techiques, an attacker can send traffic directly to your server, bypassing WGP and its WAF, rate limiting, and DDoS protection.

Therefore, it is best practice to:

Allow only WEDOS Global IP ranges and your own trusted IPs (e.g. admin access, monitoring tools)
Block all other traffic on ports 80 (HTTP) and 443 (HTTPS)

Verify the configuration

After applying the IP restrictions, confirm that the origin server is properly protected:

Access the website through its public domain. The site should load normally, as traffic is forwarded by the WGP proxy.
Attempt to connect directly to the origin server’s IP address from an external network. The connection should be refused or time out.
Check the origin server logs to confirm that incoming requests originate exclusively from WEDOS.global IP ranges.

If direct connections to the origin server still succeed, review the firewall and web server configuration to ensure that the WEDOS.global IP list is correctly applied and that no conflicting rules remain.

Keep IP allow list up to date

The WEDOS.global IP list can be expanded as new proxy nodes are added to the Anycast network. To avoid service disruptions, the origin server configuration should be kept synchronized with the official list.

The recommended approach is to set up an automated update process that:

Periodically downloads the latest ips.json orips.txt file once or twice a day.
Updates the firewall or web server allow list accordingly.
Reloads the relevant service to apply the changes without downtime.

Manual updates are possible but introduce the risk of outdated configurations, which can lead to legitimate proxy traffic being blocked.

FAQ

I am using shared hosting, so I cannot configure firewall rules myself. What should I do?

Even with shared hosting, you can often make your own adjustments to security plugins, such as WordPress firewall plugins.

If WEDOS Global IPs are blocked by your hosting provider’s protection, contact their support and ask them to whitelist WEDOS Global IPs.

Was this helpful?

Thanks for your feedback!

Protection – WEDOS IP Addresses