1728315042 cloudflare waf cover

前言

作为全球最知名和良心的免费 CDN 服务商,Cloudflare 被许多建站小白和穷人(比如我)应用在网站上。虽然免费的 CDN 服务经常被国内的朋友叫作「网站减速器」,不过我感觉其实也没有慢得那么离谱,下面是我在晚上 8 点测试的网站主页速度,基本都能在两秒内打开(服务器在美国德州)。

晚上 8 点在 ITDOG 测试的 Cloudflare 网站速度
晚上 8 点在 ITDOG 测试的网站速度

虽然 Cloudflare 有时会降低网站速度,不过它能给网站套一层安全盾,缓解逆天的 DDoS 攻击和恶意机器人,所以还是很有用的。这篇文章就分享我的 Cloudflare WAF 和其它的安全配置,可以给同样做个人网站的朋友参考下,也欢迎提出一些改正方案。

第一规则:允许已知的机器人和 User-Agent

表达式:

(cf.client.bot) or (http.user_agent contains "SafariViewService") or (http.user_agent contains "WeChatShareExtensionNew")

操作:跳过

放置位置:第一个

第二规则:固定 Captcha 验证

表达式:

(ip.geoip.country in {"RU" "T1"}) or (cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"}) or (http.user_agent eq "") or (http.user_agent contains "fuck") or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "java") or (http.user_agent contains "Joomla") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "PHPCrawl") or (http.user_agent contains "PyCurl") or (http.user_agent contains "python") or (http.user_agent contains "wrk") or (http.user_agent contains "hey") or (http.user_agent contains "Acunetix") or (http.user_agent contains "apache") or (http.user_agent contains "BackDoorBot") or (http.user_agent contains "cobion") or (http.user_agent contains "masscan") or (http.user_agent contains "FHscan") or (http.user_agent contains "scanbot") or (http.user_agent contains "Gscan") or (http.user_agent contains "Researchscan") or (http.user_agent contains "WPScan") or (http.user_agent contains "ScanAlert") or (http.user_agent contains "Wprecon") or (http.user_agent contains "virusdie") or (http.user_agent contains "VoidEYE") or (http.user_agent contains "WebShag") or (http.user_agent contains "Zeus") or (http.user_agent contains "zgrab") or (http.user_agent contains "zmap") or (http.user_agent contains "nmap") or (http.user_agent contains "fimap") or (http.user_agent contains "ZmEu") or (http.user_agent contains "ZumBot") or (http.user_agent contains "Zyborg") or (http.user_agent contains "attachment") or (http.user_agent eq "undefined")

操作:交互式质询

放置位置:最后一个

其他适用于 WordPress 的设置

在搜索、进入后台、发布评论时进行 Captcha 验证

在「规则」「Configuration Rules」中添加一条规则。

表达式:

(http.request.uri contains "/?s=") or (http.request.uri.path contains "wp-login.php") or (http.request.uri.path contains "wp-comments-post.php")

浏览器完整性检查:启用

安全级别:I’m Under Attack

放置位置:第一个

禁止缓存后台和搜索页

在「规则」「Cache Rules」中添加一条规则。

如果:自定义筛选表达式

表达式:

(http.host eq "填写你的域名" and not starts_with(http.request.uri.path, "/wp-admin") and not starts_with(http.request.uri.path, "/wp-login") and not starts_with(http.request.uri.path, "/wp-json/") and not starts_with(http.request.uri.path, "/wc-api/") and not starts_with(http.request.uri.path, "/edd-api/") and not starts_with(http.request.uri.path, "/mepr/") and not http.request.uri.path contains "/register/" and not http.request.uri.path contains "/dashboard/" and not http.request.uri.path contains "/members-area/" and not http.request.uri.path contains "/wishlist-member/" and not http.request.uri.path contains "phs_downloads-mbr" and not http.request.uri.path contains "/checkout/" and not http.request.uri.path contains ".xsl" and not http.request.uri.path contains ".xml" and not http.request.uri.path contains ".php" and not starts_with(http.request.uri.query, "s=") and not starts_with(http.request.uri.query, "p=") and not http.request.uri.query contains "nocache" and not http.request.uri.query contains "nowprocket" and not http.cookie contains "wordpress_logged_in_" and http.cookie ne "comment_" and not http.cookie contains "woocommerce_" and not http.cookie contains "wordpressuser_" and not http.cookie contains "wordpresspass_" and not http.cookie contains "wordpress_sec_" and not http.cookie contains "yith_wcwl_products" and not http.cookie contains "edd_items_in_cart" and not http.cookie contains "it_exchange_session_" and not http.cookie contains "comment_author" and not http.cookie contains "dshack_level" and not http.cookie contains "auth_" and not http.cookie contains "noaffiliate_" and not http.cookie contains "mp_session" and not http.cookie contains "xf_" and not http.cookie contains "mp_globalcart_" and not http.cookie contains "wp-resetpass-" and not http.cookie contains "upsell_customer" and not http.cookie contains "wlmapi" and not http.cookie contains "wishlist_reg")

缓存资格:符合缓存条件

边缘 TTL:忽略缓存控制标头,使用此 TTL:1 天

浏览器 TTL:替代源服务器,使用此 TTL:4 小时

放置位置:第一个

总结

思路来源:
【調教Wordpress】套Cloudflare後如何避免快取admin bar – Wordpress – 公牛擠奶 (rapbull.net)
WordPress插件Super Page Cache for Cloudflare的SF规则设置部分 – 技术宅银魂 – 科技改变生活 – 万事屋 (rei3.com)
如何保护您的 WordPress 具有 Cloudflare 防火墙规则的站点 (websiterating.com)

这篇文章只是抛砖引玉,您可以修改以适用其他平台。我个人其实也对 Cloudflare 的功能没有深究过,有任何建议也欢迎留言。

欢迎看看我主页的其他内容

最后修改日期: 2025-01-26

作者

留言

撰写回覆或留言

发布留言必须填写的电子邮件地址不会公开。