![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2024-05-29
目錄
- Free Version
- CF-RAY header
- Cloudflare source IP
- upload size
- 應用: nginx with cloudflare
Free Version
WAF Rules: 5 (Rate Limiting: 1)
(No Regex, Zone Lockdown, OWASP, Captcha)
IP lists: 1 (Items: 10,000)
Page Rules: 3
Min Cache TTL Expiry: 2h
Client Max Upload Size (MB): 100
Domains: 很多很多 !
Lists
Custom Lists
Manage Account > Configurations > Lists > Custom Lists
Managed Lists
- Botnets, Command and Control Servers
- Malware
- VPNs
- ...
CF-RAY header
traces a website request through Cloudflare's network.
The CF-RAY header traces a website request through Cloudflare's network.
Provide the CF-RAY of a web request to Cloudflare support when troubleshooting an issue.
▶ For Apache web servers, add %{CF-Ray}i to LogFormat
▶ For Nginx web servers, add '$http_cf_ray' to log_format
rules-language
https://developers.cloudflare.com/ruleset-engine/rules-language/
# Limit ip by list
(ip.src in $office_network)
Maximum rule expression length: 4,096 characters.
Block Country by http header
使用 Page Rules 的 IP Geolocation Header 功能
SetEnvIf CF-IPCountry IN BuzzOff=1 SetEnvIf CF-IPCountry US BuzzOff=1 Order allow, deny Allow from all Deny from env=BuzzOff
Cloudflare source IP
https://www.cloudflare.com/ips-v4
Page Rules
The number of Page Rules included with a domain is set by plan type.
Additional Page Rules can be purchased at $5/month for 5 Page Rules.
Pro Version
- WAF Rule: 20
- Page Rules: 20
- IP lists: 10
- Managed Ruleset: OWASP top 10 attacks
- Zone Lockdown Rules: 3
- Enhanced bot mitigation: Challenge or block automated traffic
* Its 1 Domain/ZONE pro plan.
The price for the pro plan is per domain.
可以這樣:
www.domain.com (Site 1) sub2.domain.com (Site 2) sub3.domain.com (Site 3) sub4.domain.com (Site 4)
Upload Size
Oversize
413 Request Entity Too Large
@2024
Free and Pro 100MB
Business 200MB
Enterprise 500MB(default)
* 由於使用了 "set_real_ip_from", 所以 唔可以用 "allow" 去限制 Cloudflare 的訪問
因為那是 Client 的 Real IP, 不再是 Cloudflare 的 IP
proxy_www.conf
# IP ACL
include /etc/nginx/cloudflare/acl.conf;
server {
...
location / {
# IP ACL
if ($allow_access = 0) { return 403; }
# Get Real IP
include /etc/nginx/cloudflare/cloudflare.conf;
...
}
cloudflare/acl.conf
geo $allow_access {
default 0;
# Direct access IP
192.168.88.0/24 1;
192.168.123.0/24 1;
# Cloudfront IP
include /etc/nginx/cloudflare/acl_ips.conf;
}cloudflare/gen_cloudflare.sh
#!/bin/bash
cfip=/etc/nginx/cloudflare/ips-v4
proxy_cfg=/etc/nginx/cloudflare/cloudflare.conf
acl_cfg=/etc/nginx/cloudflare/acl_ips.conf
# Get Cloudflare IP List
mv $cfip ${cfip}.bak
wget https://www.cloudflare.com/ips-v4 2> /dev/null
# Get Real Source IP Settings
echo "# get real source ip" > $proxy_cfg
cat $cfip | sed "s|^|set_real_ip_from |g" |sed "s|$|;|g" >> $proxy_cfg
echo >> $proxy_cfg
echo 'real_ip_header CF-Connecting-IP;' >> $proxy_cfg
# IP ACL
cat $cfip |sed "s|$| 1;|g" > $acl_cfg
