I think if you're using Cloudflare for (D)DoS protection, handling anything non-Cloudflare in your web application will still enable an adversary to DoS your application by talking to it directly. Rejecting IP (or DNS) packets should be done at the lowest level possible, that is, preferrably upstream or in the kernel or in your web server. Not in the application.

The easiest way within the application is to check for specific headers that Cloudflare will set and other accesses will not set. Maybe you can also look at the Host: header - this should show http://www.quillmeantten.com and not a raw IP. Both of these checks are easily circumvented by configuring your browser/ access tool to send the headers.

You could add a special secret header or cookie to Cloudflare maybe and check for the presence of that.

Personally, I would consider that a task to be performed by the webserver and not by the application though. Whitelisting Cloudflare and your local network seems a prudent approach and allows you to change hosting/network boundary providers without any change to your code should Cloudflare not meet your criteria anymore.

Update: Cloudflare publishes its outbound IP addresses, so you could even dynamically generate your HTTP server configuration or make these checks in your web application.

Thanks corion, I had a hunch that this would be the right way but wanted to confirm it!

I set up a web server using catalyst and put it behind cloudflare fore security reasons, is there any way in catalyst to prevent a direct access using the server's ip address (thus bypassing cloudflare)?

Its a cloudflare question; answer is probably no, check with cloudflare

I think one could deny by default and whitelist cloudflare's ip ranges but I would like to know if there is a way to do it using catalyst itself? Maybe a way to formulate a controller for this case.

Yes, you can do pretty much anything you want, easiest option is is use Plack/plackup to load your catalyst app with a simple sub that checks IPs