进入WAF配置页
进入Cloudflare的后台,选择你要防御的站点域名。
https://dash.cloudflare.com/login/
记得在DNS选项,开启小云朵。这就开启CDN了,后续防御规则才会生效。
1. 选择 安全性 -- WAF
2. 添加个WAF规则: 放行自己服务器,放行SEO爬虫,质询恶意流量。
3. 添加规则用 正则表达式,复制规则保存即可。
防御规则配置
以下列出三个规则的正则表达式
第一个: 放行自己服务器IP
IPV4和IPV6地址改成你的服务器IP
(ip.src eq 123.118.7.102) or (ip.src eq 2621:f657:6756:r691:5470:4ff:adf5:259d)选择操作: 跳过,然后保存规则
第二个: 放行SEO爬虫
(cf.client.bot) or (http.user_agent contains "duckduckgo") or (http.user_agent contains "facebookexternalhit") or (http.user_agent contains "Feedfetcher-Google") or (http.user_agent contains "LinkedInBot") or (http.user_agent contains "Mediapartners-Google") or (http.user_agent contains "msnbot") or (http.user_agent contains "Slackbot") or (http.user_agent contains "TwitterBot") or (http.user_agent contains "ia_archive") or (http.user_agent contains "yahoo")
(cf.client.bot) or (http.user_agent contains "duckduckgo") or (http.user_agent contains "facebookexternalhit") or (http.user_agent contains "Feedfetcher-Google") or (http.user_agent contains "LinkedInBot") or (http.user_agent contains "Mediapartners-Google") or (http.user_agent contains "msnbot") or (http.user_agent contains "Slackbot") or (http.user_agent contains "TwitterBot") or (http.user_agent contains "ia_archive") or (http.user_agent contains "yahoo")选择操作: 跳过,然后保存
第三个规则: 质询恶意流量
至关重要。但也很简单。地域限制,HTTP版本限制都十分管用。在之前大佬的基础上进化规则。
(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/2" "HTTP/3"}) or (not ip.geoip.country in {"AU" "CA" "FR" "DE" "HK" "IR" "JP" "KR" "MY" "SG" "TW" "GB" "US" "CN"})
(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/2" "HTTP/3"}) or (not ip.geoip.country in {"AU" "CA" "FR" "DE" "HK" "IR" "JP" "KR" "MY" "SG" "TW" "GB" "US" "CN"})这些大写字母是国家或地区的简称,在其中的都是放行的国家。如果你网站只面向中国用户可以只填写CN, 这样中国用户访问就可以绕过验证模式直接访问网站, 其余的全部会进入质询拦截模式,俗称CF的5秒盾。
这样设置基本就ok了。可以放几天试试,观察放行和拦截情况。
频率限制
最后
去测试看看最终效果