This Cloudflare Worker icloud-private-relay-ip-list-manager periodically fetches lists from the iCloud Private Relay egress IP addresses and updates an IP list called icloud_private_relay_egress_ips on your Cloudflare account.
Individual IP addresses and CIDR ranges must be from /8 to /32 for IPv4 and from /12 to /64 for IPv6.
The main purpose of this project is to allow Cloudflare customers to create WAF Custom Rules with this IP List to decide what to do with iCloud Private Relay requests.
Example:
- Fetches IPv4 and IPv6 addresses from a remote source.
- Creates or updates a Cloudflare IP List using Cloudflare's API.
- Handles cron jobs to fetch and update the list every 14 days (bi-weekly).
This worker is scheduled to run every 14 days at midnight UTC. The cron expression used is:
0 0 */14 * *
This means the worker will trigger at midnight UTC every 14th day starting from the 1st day of the month.
For more information on how Cloudflare Workers' cron triggers work, see Cloudflare Workers Cron Trigger documentation.
The Worker requires an API token with the following permission:
Account Filter Lists Edit
For more information on managing API Tokens in Cloudflare, refer to the Cloudflare API Tokens documentation. Review the API documentation.
-
Clone the repository:
git clone /~https://github.com/DavidJKTofan/icloud-private-relay-ip-list-manager.git cd icloud-private-relay-ip-list-manager -
Install dependencies:
npm install
-
Configure environment variables, preferably using Wrangler Secrets:
ACCOUNT_ID: Your Cloudflare account ID.API_TOKEN: The API token with appropriate permissions.LIST_NAME: The name of the Cloudflare IP list.IPV4_LIST_SOURCE_URL: The URL from which to fetch the IPv4s.IPV6_LIST_SOURCE_URL: The URL from which to fetch the IPv6s.
For security purposes, it's best to store sensitive variables (such as your API token) using Wrangler Secrets.
Note that you have a soft-limit of 10,000 list items across all custom lists in your account.
- Deploy the Worker:
wrangler publish
To test the cron trigger locally:
-
Run the worker in development mode:
npx wrangler dev --test-scheduled
-
Trigger the scheduled task manually by running:
curl "http://localhost:8787/__scheduled?cron=0+0+*/14+*+*"
This repository is designed to help Cloudflare customers easily create their own "Managed" IP List, enabling them to take control over how they handle iCloud Private Relay requests/users on their websites proxied through Cloudflare.
The project is intended for educational purposes only and is not endorsed or officially supported by Apple or Cloudflare.
Special thanks to hroost for providing the IP ranges in a convenient format. The data is sourced from the original Apple IP feed.