cloudflare防火墙规则设置详细教程
规则,防火墙,使用方法
规则防火墙使用方法
套餐情况
套餐 规则数量 拦截方式 是否允许正则 Free/PRO-plus 5 No Log No PRO 20 No Log No Business 100 No Log Yes Enterprise 1000 All Yes 部分案例
案例 说明 (ip.src ne 127.0.0.1) 全站开启验证码,访客IP不是127.0.0.1开启防御机制 (not cf.client.bot) 非搜索引擎的IP进行的访问进行验证码或屏蔽 (not ip.geoip.country in {"CN" "HK" "TW" "MO"} and not cf.client.bot) 访客不是大陆,香港,台湾,澳门的并且不是搜索引擎的进行拦截(加入搜索引擎判断,防止谷歌,BING等国外搜索引擎被拦截) (not ip.geoip.country in {"CN" "HK" "TW" "MO"} and http.request.full_uri contains "login") 访客不是大陆,香港,台湾,澳门的并且访问的链接里面带有login的就进行防火墙动作 (ip.geoip.country in {"CN"} and http.request.full_uri contains "login") or (ip.geoip.country in {"CN"} and http.request.full_uri contains "register") 大陆访客的并且访问的链接里面带有login/或者register的就进行防火墙动作 (not http.referer contains "bnxb.com" and not http.referer contains "baidu.com") or (http.referer eq "") 防盗链:来路域名非bnxb.com(含子域名)也非百度下的域名,或者来路为空就触发防火墙拦截 (http.request.full_uri contains "cdn.bnxb.com" and not ip.geoip.country in {"CN" "HK"}) cdn.bnxb.com这个子域名只允许大陆,香港访问,其他屏蔽 规则类型及编写方法
判断语句 eq-等于,ne-不等于,gt-大于,lt-小于,ge-大于等于,le-小于等于,contains-包含,not contains-不包含,in-在某几个里面,not in-不在里面
多个条件组合可以用and并且,or或者来连接,例如:
(http.request.full_uri contains "?" and http.request.full_uri contains "cate=" and not http.request.full_uri contains "js") 意思是访问的URL里面包含?并且包含cate= 并且不包含js的进行处理规则名称 字段 允许类型 案例 说明 http.cookie 字符串 eq\ne\contains\not contains\matches\not matches (http.cookie eq "session=8521F670545D7865F79C3D7BED C29CCE;-background=light")
(http.cookie ne "session=8521F670545D7865F79C3D7BED C29CCE;-background=light")
(http.cookie contains "session=8521F670545D7865F79C3D7BED C29CCE;-background=light")
(not http.cookie contains "session=8521F670545D7865F79C3D7BED C29CCE;-background=light")
判断本地COOKIE是否包含某些特定值支持matches\not matches匹配正则
注意两端需要用括号括起来,可以用and ,or 连接,类似
(not http.cookie contains "session=8521F670545D7865F79C3D7BED C29CCE;-background=light" and ip.geoip.asnum lt 2000)
http.host 字符串 eq\ne\contains\not contains\in\not in\matches\not matches (http.host eq "bnxb.com")
(http.host ne "bnxb.com")
(http.host contains "bnxb.com")
(not http.host contains "bnxb.com")
(http.host in {"bnxb.com" "cdn.bnxb.com"})
(not http.host in {"bnxb.com" "cdn.bnxb.com"})
主机名,判断主机名是否存在设定的值支持正则匹配matches\not matches http.referer 字符串 eq\ne\contains\not contains\matches\not matches (http.referer contains "bnxb.com")
(not http.referer contains "bnxb.com")
判断来源是否存在设置的值,正常用cotains(包含)和not contains(不包含)支持正则匹配matches\not matches http.request.full_uri 字符串 eq\ne\contains\not contains\matches\not matches (http.request.full_uri eq "https://www.bnxb.com/html/123.html")
(http.request.full_uri ne "https://www.bnxb.com/html/123.html")
(http.request.full_uri contains "123")
(not http.request.full_uri contains "123")
设置防火墙的网站的某个完整链接,访客访问这个链接就会触发防御规则,不能含#,正常可以用contains 来判断域名中含有某个词的进行拦截或者放行,支持正则匹配matches\not matches http.request.method 字符串 eq\ne\in\not in (http.request.method eq "GET")
(http.request.method ne "GET")
(http.request.method in {"GET" "POST" "PUT"})
(not http.request.method in {"GET" "POST" "PUT"})
访客请求您网站的方式,可选GET,POST,PURGE,PUT,HEAD,OPTIONS,DELETE,PATCH http.request.uri 字符串 eq\ne\contains\not contains\matches\not matches (http.request.uri eq "/articles/index?section=539061&expand=comments")
(http.request.uri ne "/articles/index?section=539061&expand=comments")
(http.request.uri contains "expand=comments")
(not http.request.uri contains "expand=comments")
您域名的URI http.request.uri.path 字符串 eq\ne\contains\not contains\in\not in\matches\not matches (http.request.uri.path eq "/articles/index")
(http.request.uri.path ne "/articles/index")
(http.request.uri.path contains "/articles/index")
(not http.request.uri.path contains "/articles/index")
(http.request.uri.path in {"/articles/index" "/articles/bnxb" "/bnxb/com"})
(not http.request.uri.path in {"/articles/index" "/articles/bnxb" "/bnxb/com"})
请求路径 http.request.uri.query 字符串 eq\ne\contains\not contains\matches\not matches (http.request.uri.query eq "section=539061&expand=comments")
(http.request.uri.query ne "section=539061&expand=comments")
(http.request.uri.query contains "expand=comments")
(not http.request.uri.query contains "expand=comments")
query请求参数,也就是?后面的一串 http.request.version 字符串 eq\ne\contains\not contains (http.request.version eq "SPDY/3.1")
(http.request.version ne "SPDY/3.1")
(http.request.version in {"SPDY/3.1" "HTTP/1.1" "HTTP/2"})
(not http.request.version in {"SPDY/3.1" "HTTP/1.1" "HTTP/2"})
HTTP请求协议的版本,有以下选项 HTTP/1.0
HTTP/1.1
HTTP/1.2
HTTP/2
HTTP/3
SPDY/3.1
http.user_agent 字符串 eq\ne\contains\not contain\matches\not matches (http.user_agent eq "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36")
(http.user_agent ne "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36")
(http.user_agent contains "Chrome/65.0.3325.181")
(not http.user_agent contains "Chrome/65.0.3325.181")
用户浏览器标识,推荐使用contains/not contains http.x_forwarded_for 字符串 eq\ne\contains\not contain\matches\not matches (http.x_forwarded_for eq "111.111.11.11")
(http.x_forwarded_for ne "111.111.11.11")
(http.x_forwarded_for contains "11.11")
(not http.x_forwarded_for contains "11.11")
x-forwarded-for标头 支持matches\not matches匹配正则表达式 ip.src IP 地址 eq\ne\in\not in (ip.src eq 192.0.2.0)
(ip.src ne 192.0.2.0)
(ip.src in {192.0.2.0 192.0.3.0 192.168.1.1})
(not ip.src in {192.0.2.0 192.0.3.0 192.168.1.1})
客户端IP地址 ip.geoip.asnum 数字 eq\ne\gt\lt\ge\le\in\not in (ip.geoip.asnum eq 13335)
(ip.geoip.asnum ne 13335)
(ip.geoip.asnum gt 13335)
(ip.geoip.asnum lt 13335)
(ip.geoip.asnum ge 13335)
(ip.geoip.asnum le 13335)
(ip.geoip.asnum in {13335 13332 11112})
(not ip.geoip.asnum in {13335 13332 11112})
访客IP所属的AS号,gt-大于,lt-小于,ge-大于等于,le-小于等于 ip.geoip.continent 字符串 eq\ne\in\not in (ip.geoip.continent eq "AS")
(ip.geoip.continent ne "AS")
(ip.geoip.continent in {"AS" "AF" "EU" "OC"})
(not ip.geoip.continent in {"AS" "AF" "EU" "OC"})
访客所属的洲(7大洲),洲代码如下: ip.geoip.country 字符串 eq\ne\in\not in (ip.geoip.country eq "CN")
(ip.geoip.country ne "CN")
(ip.geoip.country in {"CN" "HK" "TW" "MO"})
(not ip.geoip.country in {"CN" "HK" "TW" "MO"})
访客所属国家,使用二位英文字母标识国别,详见http://tool.bnxb.com/domainname.html ip.geoip.subdivision_1_iso_code 字符串 GB-ENG If known, the ISO 3166-2 code for the first level region associated with the IP address. 1 If not known, this is an empty string. ip.geoip.subdivision_2_iso_code 字符串 GB-SWK If known, the ISO 3166-2 code for the second level region associated with the IP address. If not known, this is an empty string. ip.geoip.is_in_european_union 真假 true True if this is an EU country ssl 真假 (ssl)
(not ssl)
是否使用HTTPS cf.client.bot 真假 (cf.client.bot)
(not cf.client.bot)
基于各家搜索引擎IP段判断是否放行(支持百度,谷歌,搜狗,yahoo,yandex,apple,archive,bing,feedbin,grapeshot,linkedin,mail.ru,naver,pingdom,pinterest,seznam,uptimerobot) cf.threat_score 数字 eq\ne\gt\lt\ge\le\in\not in (cf.threat_score eq 2)
(cf.threat_score ne 2)
(cf.threat_score gt 2)
(cf.threat_score lt 2)
(cf.threat_score ge 2)
(cf.threat_score le 2)
(cf.threat_score in {2 5 8})
(not cf.threat_score in {2 5 8})
访客IP的威胁评分级别,越大说明CF对这个IP视为越危险,10分以上均属于较不安全的IP,40分以上属于对互联网有过攻击行为的IP,因此可以设置10分以上显示验证码,50分以上拦截。(这个设置与防御等级设置是使用同一套评分系统,防御等级高-分值>0,防御等级中-分值>14,防御等级低-分值>24,防御等级半关闭-分值>49) cf.tls_client_auth.cert_verified 真假 (cf.tls_client_auth.cert_verified)
(not cf.tls_client_auth.cert_verified)
已验证客户端证书 AF – 非洲
AN – 南极洲
AS – 亚洲
EU – 欧洲
NA – 北美洲
OC – 大洋洲
SA – 南美洲
( 或者 T1 代表 Tor网络)
