前言
作為全球最知名和良心的免費 CDN 服務商,Cloudflare 被許多建站小白和窮人(比如我)應用在網站上。雖然免費的 CDN 服務經常被國內的朋友叫作「網站減速器」,不過我感覺其實也沒有慢得那麼離譜,下面是我在晚上 8 點測試的網站主頁速度,基本都能在兩秒內打開(伺服器在美國德州)。
雖然 Cloudflare 有時會降低網站速度,不過它能給網站套一層安全盾,緩解逆天的 DDoS 攻擊和惡意機器人,所以還是很有用的。這篇文章就分享我的 Cloudflare WAF 和其它的安全配置,可以給同樣做個人網站的朋友參考下,也歡迎提出一些改正方案。
目錄
第一規則:允許已知的機器人和 User-Agent
表達式:
(cf.client.bot) or (http.user_agent contains "SafariViewService") or (http.user_agent contains "WeChatShareExtensionNew")操作:跳過
放置位置:第一個
第二規則:固定 Captcha 驗證
表達式:
(ip.geoip.country in {"RU" "T1"}) or (cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"}) or (http.user_agent eq "") or (http.user_agent contains "fuck") or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "java") or (http.user_agent contains "Joomla") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "PHPCrawl") or (http.user_agent contains "PyCurl") or (http.user_agent contains "python") or (http.user_agent contains "wrk") or (http.user_agent contains "hey") or (http.user_agent contains "Acunetix") or (http.user_agent contains "apache") or (http.user_agent contains "BackDoorBot") or (http.user_agent contains "cobion") or (http.user_agent contains "masscan") or (http.user_agent contains "FHscan") or (http.user_agent contains "scanbot") or (http.user_agent contains "Gscan") or (http.user_agent contains "Researchscan") or (http.user_agent contains "WPScan") or (http.user_agent contains "ScanAlert") or (http.user_agent contains "Wprecon") or (http.user_agent contains "virusdie") or (http.user_agent contains "VoidEYE") or (http.user_agent contains "WebShag") or (http.user_agent contains "Zeus") or (http.user_agent contains "zgrab") or (http.user_agent contains "zmap") or (http.user_agent contains "nmap") or (http.user_agent contains "fimap") or (http.user_agent contains "ZmEu") or (http.user_agent contains "ZumBot") or (http.user_agent contains "Zyborg") or (http.user_agent contains "attachment") or (http.user_agent eq "undefined")操作:互動式質詢
放置位置:最後一個
其他適用於 WordPress 的設置
在搜索、進入後台、發布評論時進行 Captcha 驗證
在「規則」「Configuration Rules」中添加一條規則。
表達式:
(http.request.uri contains "/?s=") or (http.request.uri.path contains "wp-login.php") or (http.request.uri.path contains "wp-comments-post.php")瀏覽器完整性檢查:啟用
安全級別:I’m Under Attack
放置位置:第一個
禁止緩存後台和搜索頁
在「規則」「Cache Rules」中添加一條規則。
如果:自定義篩選表達式
表達式:
(http.host eq "填寫你的域名" and not starts_with(http.request.uri.path, "/wp-admin") and not starts_with(http.request.uri.path, "/wp-login") and not starts_with(http.request.uri.path, "/wp-json/") and not starts_with(http.request.uri.path, "/wc-api/") and not starts_with(http.request.uri.path, "/edd-api/") and not starts_with(http.request.uri.path, "/mepr/") and not http.request.uri.path contains "/register/" and not http.request.uri.path contains "/dashboard/" and not http.request.uri.path contains "/members-area/" and not http.request.uri.path contains "/wishlist-member/" and not http.request.uri.path contains "phs_downloads-mbr" and not http.request.uri.path contains "/checkout/" and not http.request.uri.path contains ".xsl" and not http.request.uri.path contains ".xml" and not http.request.uri.path contains ".php" and not starts_with(http.request.uri.query, "s=") and not starts_with(http.request.uri.query, "p=") and not http.request.uri.query contains "nocache" and not http.request.uri.query contains "nowprocket" and not http.cookie contains "wordpress_logged_in_" and http.cookie ne "comment_" and not http.cookie contains "woocommerce_" and not http.cookie contains "wordpressuser_" and not http.cookie contains "wordpresspass_" and not http.cookie contains "wordpress_sec_" and not http.cookie contains "yith_wcwl_products" and not http.cookie contains "edd_items_in_cart" and not http.cookie contains "it_exchange_session_" and not http.cookie contains "comment_author" and not http.cookie contains "dshack_level" and not http.cookie contains "auth_" and not http.cookie contains "noaffiliate_" and not http.cookie contains "mp_session" and not http.cookie contains "xf_" and not http.cookie contains "mp_globalcart_" and not http.cookie contains "wp-resetpass-" and not http.cookie contains "upsell_customer" and not http.cookie contains "wlmapi" and not http.cookie contains "wishlist_reg")緩存資格:符合緩存條件
邊緣 TTL:忽略緩存控制標頭,使用此 TTL:1 天
瀏覽器 TTL:替代源伺服器,使用此 TTL:4 小時
放置位置:第一個
總結
思路來源:
【調教Wordpress】套Cloudflare後如何避免快取admin bar – Wordpress – 公牛擠奶 (rapbull.net)
WordPress插件Super Page Cache for Cloudflare的SF規則設置部分 – 技術宅銀魂 – 科技改變生活 – 萬事屋 (rei3.com)
如何保護您的 WordPress 具有 Cloudflare 防火牆規則的站點 (websiterating.com)
這篇文章只是拋磚引玉,您可以修改以適用其他平台。我個人其實也對 Cloudflare 的功能沒有深究過,有任何建議也歡迎留言。
歡迎看看我主頁的其他內容。
留言