前言
作为全球最知名和良心的免费 CDN 服务商,Cloudflare 被许多建站小白和穷人(比如我)应用在网站上。虽然免费的 CDN 服务经常被国内的朋友叫作「网站减速器」,不过我感觉其实也没有慢得那么离谱,下面是我在晚上 8 点测试的网站主页速度,基本都能在两秒内打开(服务器在美国德州)。

虽然 Cloudflare 有时会降低网站速度,不过它能给网站套一层安全盾,缓解逆天的 DDoS 攻击和恶意机器人,所以还是很有用的。这篇文章就分享我的 Cloudflare WAF 和其它的安全配置,可以给同样做个人网站的朋友参考下,也欢迎提出一些改正方案。
目录
第一规则:允许已知的机器人和 User-Agent
表达式:
(cf.client.bot) or (http.user_agent contains "SafariViewService") or (http.user_agent contains "WeChatShareExtensionNew")
操作:跳过
放置位置:第一个
第二规则:固定 Captcha 验证
表达式:
(ip.geoip.country in {"RU" "T1"}) or (cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"}) or (http.user_agent eq "") or (http.user_agent contains "fuck") or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "java") or (http.user_agent contains "Joomla") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "PHPCrawl") or (http.user_agent contains "PyCurl") or (http.user_agent contains "python") or (http.user_agent contains "wrk") or (http.user_agent contains "hey") or (http.user_agent contains "Acunetix") or (http.user_agent contains "apache") or (http.user_agent contains "BackDoorBot") or (http.user_agent contains "cobion") or (http.user_agent contains "masscan") or (http.user_agent contains "FHscan") or (http.user_agent contains "scanbot") or (http.user_agent contains "Gscan") or (http.user_agent contains "Researchscan") or (http.user_agent contains "WPScan") or (http.user_agent contains "ScanAlert") or (http.user_agent contains "Wprecon") or (http.user_agent contains "virusdie") or (http.user_agent contains "VoidEYE") or (http.user_agent contains "WebShag") or (http.user_agent contains "Zeus") or (http.user_agent contains "zgrab") or (http.user_agent contains "zmap") or (http.user_agent contains "nmap") or (http.user_agent contains "fimap") or (http.user_agent contains "ZmEu") or (http.user_agent contains "ZumBot") or (http.user_agent contains "Zyborg") or (http.user_agent contains "attachment") or (http.user_agent eq "undefined")
操作:交互式质询
放置位置:最后一个
其他适用于 WordPress 的设置
在搜索、进入后台、发布评论时进行 Captcha 验证
在「规则」「Configuration Rules」中添加一条规则。
表达式:
(http.request.uri contains "/?s=") or (http.request.uri.path contains "wp-login.php") or (http.request.uri.path contains "wp-comments-post.php")
浏览器完整性检查:启用
安全级别:I’m Under Attack
放置位置:第一个
禁止缓存后台和搜索页
在「规则」「Cache Rules」中添加一条规则。
如果:自定义筛选表达式
表达式:
(http.host eq "填写你的域名" and not starts_with(http.request.uri.path, "/wp-admin") and not starts_with(http.request.uri.path, "/wp-login") and not starts_with(http.request.uri.path, "/wp-json/") and not starts_with(http.request.uri.path, "/wc-api/") and not starts_with(http.request.uri.path, "/edd-api/") and not starts_with(http.request.uri.path, "/mepr/") and not http.request.uri.path contains "/register/" and not http.request.uri.path contains "/dashboard/" and not http.request.uri.path contains "/members-area/" and not http.request.uri.path contains "/wishlist-member/" and not http.request.uri.path contains "phs_downloads-mbr" and not http.request.uri.path contains "/checkout/" and not http.request.uri.path contains ".xsl" and not http.request.uri.path contains ".xml" and not http.request.uri.path contains ".php" and not starts_with(http.request.uri.query, "s=") and not starts_with(http.request.uri.query, "p=") and not http.request.uri.query contains "nocache" and not http.request.uri.query contains "nowprocket" and not http.cookie contains "wordpress_logged_in_" and http.cookie ne "comment_" and not http.cookie contains "woocommerce_" and not http.cookie contains "wordpressuser_" and not http.cookie contains "wordpresspass_" and not http.cookie contains "wordpress_sec_" and not http.cookie contains "yith_wcwl_products" and not http.cookie contains "edd_items_in_cart" and not http.cookie contains "it_exchange_session_" and not http.cookie contains "comment_author" and not http.cookie contains "dshack_level" and not http.cookie contains "auth_" and not http.cookie contains "noaffiliate_" and not http.cookie contains "mp_session" and not http.cookie contains "xf_" and not http.cookie contains "mp_globalcart_" and not http.cookie contains "wp-resetpass-" and not http.cookie contains "upsell_customer" and not http.cookie contains "wlmapi" and not http.cookie contains "wishlist_reg")
缓存资格:符合缓存条件
边缘 TTL:忽略缓存控制标头,使用此 TTL:1 天
浏览器 TTL:替代源服务器,使用此 TTL:4 小时
放置位置:第一个
总结
思路来源:
【調教Wordpress】套Cloudflare後如何避免快取admin bar – Wordpress – 公牛擠奶 (rapbull.net)
WordPress插件Super Page Cache for Cloudflare的SF规则设置部分 – 技术宅银魂 – 科技改变生活 – 万事屋 (rei3.com)
如何保护您的 WordPress 具有 Cloudflare 防火墙规则的站点 (websiterating.com)
这篇文章只是抛砖引玉,您可以修改以适用其他平台。我个人其实也对 Cloudflare 的功能没有深究过,有任何建议也欢迎留言。
欢迎看看我主页的其他内容。
留言