这篇文章中说到坏男孩博客一直在使用CloudFlare提供SSL服务和防火墙服务。SSL并没有什么好说的,今天简单介绍一下我是如何写Cloudflare中的防火墙规则。
firewall,也就是我们所说的防火墙规则。我们可以先看下效果
如图所示,在2.13号一天,防火墙为我们拦截了上亿条的恶意请求。免费套餐有5条的额度,对于一般用户我觉得已经足够了,如果你的网站结构过于复杂,还请你升级套餐,以寻求更多规则额度。
我们可以找到的官方文档如下:https://developers.cloudflare.com/firewall/cf-firewall-rules/,请先观看此文档,再看本文。如果你看完文档的话,你会发现拦截恶意请求其实很简单(当然需要你对http请求有一定了解)。看不懂也没关系,本文将大致讲解一下常用字段。防火墙支持的字段比一般编程语言更多,基于应用层+网络层。
https://www.baidu.com/s?ie=utf-8&wd=%E5%9D%8F%E7%94%B7%E5%AD%A9
/s?ie=utf-8&wd=%E5%9D%8F%E7%94%B7%E5%AD%A9
,也就是去掉了协议+主机名。/s
。ie=utf-8&wd=%E5%9D%8F%E7%94%B7%E5%AD%A9
(http.user_agent contains "curl") or (http.user_agent contains "requests") or (http.user_agent contains "python") or (http.user_agent contains "php") or (http.user_agent contains "java") or (http.user_agent contains "urllib") or (http.user_agent contains "Java") or (http.user_agent contains "Ruby") or (http.user_agent contains "Go-http-client") or (not http.user_agent contains "/")
可以看这里 https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions/,基本类同于程序语法。
Action | Description |
---|---|
Bypass | Allows user to dynamically disable Cloudflare security features for a requestAvailable to all plansMatching requests exempt from evaluation by a user-defined list containing one or more of the following Cloudflare Firewall products/features:User-agent BlockingBrowser Integrity CheckHotlinking ProtectionSecurity Level (IP Reputation)Rate LimitingZone Lockdown (PRO, BIZ, ENT)WAF Managed Rules (PRO, BIZ, ENT)Requests which match the Bypass action are still subject to evaluation (and thus a challenge or block) within Firewall Rules, based on the order of execution.To stop a bypassed request from further evaluation within Firewall Rules, you must create a new rule using the same expression and the Allow action immediately below the Bypass rule.//让请求不受某条规则的限制 |
Allow | Matching requests are exempt from challenge and block actions triggered by other Firewall Rules content.The scope of the Allow action is limited to Firewall Rules; matching requests are not exempt from action by other Cloudflare Firewall products, such as IP Access Rules, WAF, etc.Matched requests will be mitigated if they are part of a DDoS attack.//允许该请求 |
Challenge (Captcha) | Useful for ensuring that the visitor accessing the site is human, not automatedThe client that made the request must pass a Captcha Challenge.If successful, Cloudflare accepts the matched request; otherwise, it is blocked.//输入验证码 |
JS Challenge | Useful for ensuring that bots and spam cannot access the requested resource; browsers, however, are free to satisfy the challenge automatically.The client that made the request must pass a Cloudflare Javascript Challenge before proceeding.If successful, Cloudflare accepts the matched request; otherwise, it is blocked.//五秒盾 |
Block | Matching requests are denied access to the site.//直接阻止访问 |
完整可以看这里 <https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/ >。
下面介绍我是如何写的,由于博客是纯静态的,所以我并不担心会出现服务器被入侵的问题。所以我编写的规则大部分是针对恶意(非真实)用户的拦截。
block
(http.user_agent contains "curl") or (http.user_agent contains "requests") or (http.user_agent contains "python") or (http.user_agent contains "php") or (http.user_agent contains "java") or (http.user_agent contains "urllib") or (http.user_agent contains "Java") or (http.user_agent contains "Ruby") or (http.user_agent contains "Go-http-client") or (not http.user_agent contains "/")
Challenge (Captcha)
(由于我的博客不需要接收传参,也不需要其他类型请求。如果你不是纯静态,请加白名单!!!)
(http.request.full_uri contains "?") or (http.request.method ne "GET") or (cf.threat_score gt 10)
Allow
(cf.client.bot)
总的来说,编写规则需要对http请求有一定了解且了解自己的网站结构。这样才能够更好的抓住恶意请求的特征,相信通过本文可以帮你更好的了解应该如何去编写规则。如果你实在懒得去了解,也可以请博主喝杯奶茶代写,联系