CloudFlare firewall rule set tutorial

CloudFlare is a multinational company that provides website security management, performance optimization, etc., CloudFlare can help protected most of the network attacks including distributed denial, DDOS, Distributed Denial of Service, and ensure that the site Long-term online, blocking cyber attacks, spam, etc., while improving the performance of the website, accessing speed to improve visitors.

CloudFlare provides users free of charge, one of the best solutions for Defense DDOS. CloudFlare’s network capacity is almost equal to the sum of the total cleaning capacity of other six leading DDOS providers. The most surprising thing is that CloudFlare is included in the free plan DDOS defense services provided in all service plans are not capacity and do not set up.

Free CloudFlare firewall can set up 5 rules, setting up the boundaries and intuitive, and can achieve fine-grained control over the website.

Many people use free CloudFlare, but the background features are not used, especially their powerful firewall functions, don’t need to be violent, the following is introducing some common CloudFlare firewall setting rules.

1, according to IP reputation blocking request

Firewall expression

(Not cf.client.bot and cf.threat_score gt 2)

Execute operation

Captcha

explain:

Cf.Threat_score (threat score) represents a CloudFlare threat score from 0 to 100, where 0 represents a low risk. The value of greater than 10 may represent the spam sender or robot, and the value greater than 40 represents the adverse actors on the Internet. A common recommendation is a request for a query score greater than 10 and prevents a request higher than 50.

Cf.Client.bot (legal robot reptile) When the value is TRUE, it is identified from a good robot or reptile.

2, selective anti-theft chain

Firewall expression

(not http.referer contains “williamlong.info”)

Execute operation

Prevent

explain:

The citation (http.refer) represents the HTTP Referer request header, which contains a web address that is linked to the current request page. The above expression is to exclude the designated website, other websites are blocked. If this rule is used, you need to disable hot link protection in the Scrape Shield application.

3, landing protection

Firewall expression

(NOT IP.SRC IN {202.96.134.0/24} and lower (http.request.uri.path) Contains “/ wp-admin”)

Execute operation

Prevent

Explanation: When the client IP address is not in the specified range, and the requested URI path contains the background management path to block access.

4, according to ASN adjustment rules

Firewall expression

(ip.geoip.asnum in {37963 45090 55990} and not cf.client.bot)

Execute operation

Captcha

explain:

ASN (ip.geoip.asnum) represents the autonomous system number associated with the client IP address.

The firewall rules above can block Ali Cloud, Tencent Cloud and Huawei’s IP address of the three cloud service providers’ IP address, common sayings, peers are a family, using Ali Cloud, Tencent Cloud and Huawei to grab your website. It is usually not good, in general, it is malicious collection, malicious crawler, cc attack and DDoS attack, etc., through ASN shielding can shield millions of IP addresses, very efficient.

In addition, the order of execution of the firewall is the serial number on the right side, and the drag serial number can modify the execution order of the firewall rule.

Challenge Resolution (CSR) can assess the advantages and disadvantages of each firewall rule, the meaning of this indicator refers to the percentage of the challenge, the formula is CSR = the number of challenges to the challenge, the lower the value, the lower the value. . Hover your mouse on the CSR can display the number of Captcha challenges that have been published and resolved.

The lower the CSR, the less rarely emit Captcha challenges to the actual human beings, and the CSR is the goal of the firewall rules, and the firewall rules should be continuously adjusted to reduce the CSR value. When the CSR ratio is 0%, it means that all requests are not emitted, which can be considered to change the rule operation to block (block).

Ok, the above is a common CloudFlare firewall use case, more detailed technical documentation, you can see the official documentation of CloudFlare (English).

Uncategorized