此贴将持续更新中:欢迎收藏本站~

白嫖CF大善人的CDN服务

在CF中添加站点修改到对应的DNS服务就行(将源注册商提供的DNS服务改为CF提供的DNS服务)

然后对于该域名添加A域名就行,如下所示,将CDN(小云朵全部打开)

缺点是中国大陆的CDN服务器基本上都在美西(圣弗朗西斯一带),但是是免费的CDN服务,还要什么自行车。

能够一定程度上保护源站IP暴露也很不错了,网站访问速度可能会下降,注意选择了,想要速度还得付费

安全级别调整

调为高即可:这样就已经不会掉收录了

不要打开I'm Under Attack!,因为这样就是任何请求会做人机验证,等待5秒钟:会掉收录

质询通过期调为30或者15就行,不要太低也不要太高

添加DDOS防护

找到位置点击配置规则

该DDOS基于CF的机器识别:误报很低,可以尝试一下

添加规则如下:

规则集操作(必填)设置为:托管质询或者直接阻止(建议你在受到攻击的时候直接阻止) 规则集敏感度(必填)设置为:高

添加WAF服务

正式的WAF服务是需要付费的,但是CF大善人为免费用户提供5条基本规则,下面就是5条规则的有效使用方法

其中最重要的规则就三条:

放行自己,放行SEO爬虫,质询刻意流量。

在安全下面可以看见WAF

基本操作都是添加正则表达式

五条规则

第一条(优先)放行自己原站IP

正则表达式如下:你也可以使用表达式生尘器直接生成即可

(ip.src eq 你原站的IPV4地址) or (ip.src eq 你原站的IPV6地址)

然后按图操作

第二条 放行SEO爬虫

表达式如下:直接无脑添加即可

(cf.client.bot) or (http.user_agent contains "duckduckgo") or (http.user_agent contains "facebookexternalhit") or (http.user_agent contains "Feedfetcher-Google") or (http.user_agent contains "LinkedInBot") or (http.user_agent contains "Mediapartners-Google") or (http.user_agent contains "msnbot") or (http.user_agent contains "Slackbot") or (http.user_agent contains "TwitterBot") or (http.user_agent contains "ia_archive") or (http.user_agent contains "yahoo")

第三条 质询恶意流量

对部分国家开白名单:不在列表中的国家的流量都会被过滤掉。

使用的表达式如下:

(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/2" "HTTP/3"}) or (not ip.geoip.country in {"AU" "CA" "FR" "DE" "HK" "IR" "JP" "KR" "MY" "SG" "TW" "GB" "US" "CN"})

这些大写字母是国家或地区的简称,在其中的都是放行的国家。如果你只在香港做业务可以只填写HK,其余的全部会进入质询拦截模式,俗称CF的5秒盾。

你也可以使用这条:(推荐使用)

(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/2" "HTTP/3"}) or (not ip.geoip.country in {"AU" "CA" "FR" "DE" "HK" "IR" "JP" "KR" "MY" "SG" "TW" "GB" "US" "CN"}) or (not cf.client.bot and cf.threat_score gt 10) or (http.user_agent eq "") or (http.user_agent eq "") or (http.user_agent contains "fuck") or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "java") or (http.user_agent contains "Joomla") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "PHPCrawl") or (http.user_agent contains "PyCurl") or (http.user_agent contains "python") or (http.user_agent contains "wrk") or (http.user_agent contains "hey/") or (http.user_agent contains "Acunetix") or (http.user_agent contains "apache") or (http.user_agent contains "BackDoorBot") or (http.user_agent contains "cobion") or (http.user_agent contains "masscan") or (http.user_agent contains "FHscan") or (http.user_agent contains "scanbot") or (http.user_agent contains "Gscan") or (http.user_agent contains "Researchscan") or (http.user_agent contains "WPScan") or (http.user_agent contains "ScanAlert") or (http.user_agent contains "Wprecon") or (http.user_agent contains "virusdie") or (http.user_agent contains "VoidEYE") or (http.user_agent contains "WebShag") or (http.user_agent contains "Zeus") or (http.user_agent contains "zgrab") or (http.user_agent contains "zmap") or (http.user_agent contains "nmap") or (http.user_agent contains "fimap") or (http.user_agent contains "ZmEu") or (http.user_agent contains "ZumBot") or (http.user_agent contains "Zyborg") or (http.user_agent contains "attachment") or (http.user_agent eq "undefined")

都是大佬总结的:直接使用就好

先了解几个名词:

  • Threat Score:一种反映某个 IP 地址或请求的安全威胁程度的指标,通常用于衡量恶意攻击的可能性和严重性,越大越坏

  • GeoIP:一种根据 IP 地址确定其地理位置信息的方法,如国家、地区、城市等;

  • X-Forwarded-For:HTTP 请求头中的一个字段,用于标识请求经过的代理服务器地址,通常用于在 Web 应用程序中获取客户端的真实 IP 地址,当这个字段为空时,通常意味着请求可能使用了代理或者来自恶意攻击者

  • AndOr:在逻辑运算中,And 表示 逻辑与(同时满足两边条件为真),Or 表示 逻辑或(满足两边任意一个条件即为真)

我们再来看下上面的匹配规则:

  1. 当不是已知机器人(cf.client.bot),且(and)威胁分数(cf.threat_score)大于 3 时,会匹配该规则

  2. 当请求的来源 IP 地址所对应的国家是俄罗斯、乌克兰或者 Tor 匿名网络时,会匹配该规则

  3. 当请求头中的 X-Forwarded-For 字段为空时,也会匹配该规则

  4. 上面三个规则使用逻辑或(Or)连接,代表三个条件任意满足一个就会触发托管质询

第四条 JS Challenge(JavaScript 质询)

规则如下:

(not cf.client.bot and cf.threat_score gt 10) or (http.user_agent eq "") or (http.user_agent eq "") or (http.user_agent contains "fuck") or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "java") or (http.user_agent contains "Joomla") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "PHPCrawl") or (http.user_agent contains "PyCurl") or (http.user_agent contains "python") or (http.user_agent contains "wrk") or (http.user_agent contains "hey/") or (http.user_agent contains "Acunetix") or (http.user_agent contains "apache") or (http.user_agent contains "BackDoorBot") or (http.user_agent contains "cobion") or (http.user_agent contains "masscan") or (http.user_agent contains "FHscan") or (http.user_agent contains "scanbot") or (http.user_agent contains "Gscan") or (http.user_agent contains "Researchscan") or (http.user_agent contains "WPScan") or (http.user_agent contains "ScanAlert") or (http.user_agent contains "Wprecon") or (http.user_agent contains "virusdie") or (http.user_agent contains "VoidEYE") or (http.user_agent contains "WebShag") or (http.user_agent contains "Zeus") or (http.user_agent contains "zgrab") or (http.user_agent contains "zmap") or (http.user_agent contains "nmap") or (http.user_agent contains "fimap") or (http.user_agent contains "ZmEu") or (http.user_agent contains "ZumBot") or (http.user_agent contains "Zyborg") or (http.user_agent contains "attachment") or (http.user_agent eq "undefined")

JavaScript 质询 策略比托管质询还要更严格一点(机器人表示很难受 😭),由于示例规则太长,不方便截图,您可以粘贴到您的 WAF 规则编辑器里查看。

上面有个新的匹配项 UA(User-Agent),即 用户代理,它指定了发送请求的客户端应用程序或浏览器的名称和版本号。

可以看到示例规则匹配到信誉度不高的 IP 或 UA后,会进行进行 JavaScript 质询。

第五条 Block(阻止)(注意误杀)

下面的规则误杀率比较高,请谨慎使用。

规则如下:

(not cf.client.bot and cf.threat_score gt 15) or (ip.geoip.asnum in {59055 59054 59053 59052 59051 59028 45104 45103 45102 37963 34947 211914 134963 63727 63655 61348 55990 269939 265443 206798 206204 200756 149167 141180 140723 139144 139124 136907 131444 45090 137876 133478 132591 132203}) or (http.user_agent contains "80legs") or (http.user_agent contains "Abonti") or (http.user_agent contains "admantx") or (http.user_agent contains "aipbot") or (http.user_agent contains "AllSubmitter") or (http.user_agent contains "Backlink") or (http.user_agent contains "backlink") or (http.user_agent contains "Badass") or (http.user_agent contains "Bigfoot") or (http.user_agent contains "blexbot") or (http.user_agent contains "Buddy") or (http.user_agent contains "CherryPicker") or (http.user_agent contains "cloudsystemnetwork") or (http.user_agent contains "cognitiveseo") or (http.user_agent contains "Collector") or (http.user_agent contains "cosmos") or (http.user_agent contains "CrazyWebCrawler") or (http.user_agent contains "Crescent") or (http.user_agent contains "Devil") or (http.user_agent contains "spider") or (http.user_agent contains "stat") or (http.user_agent contains "Appender") or (http.user_agent contains "Crawler") or (http.user_agent contains "DittoSpyder") or (http.user_agent contains "Konqueror") or (http.user_agent contains "Easou") or (http.user_agent contains "Yisou") or (http.user_agent contains "Etao") or (http.user_agent contains "mail" and http.user_agent contains "olf") or (http.user_agent contains "exabot.com") or (http.user_agent contains "getintent") or (http.user_agent contains "Grabber") or (http.user_agent contains "GrabNet") or (http.user_agent contains "HEADMasterSEO") or (http.user_agent contains "heritrix") or (http.user_agent contains "htmlparser") or (http.user_agent contains "hubspot") or (http.user_agent contains "Jyxobot") or (http.user_agent contains "kraken") or (http.user_agent contains "larbin") or (http.user_agent contains "ltx71") or (http.user_agent contains "leiki") or (http.user_agent contains "LinkScan") or (http.user_agent contains "Magnet") or (http.user_agent contains "Mag-Net") or (http.user_agent contains "Mechanize") or (http.user_agent contains "MegaIndex") or (http.user_agent contains "Metasearch") or (http.user_agent contains "MJ12bot") or (http.user_agent contains "moz.com") or (http.user_agent contains "Navroad") or (http.user_agent contains "Netcraft") or (http.user_agent contains "niki-bot") or (http.user_agent contains "NimbleCrawler") or (http.user_agent contains "Nimbostratus") or (http.user_agent contains "Ninja") or (http.user_agent contains "Openfind") or (http.user_agent contains "Analyzer") or (http.user_agent contains "Pixray") or (http.user_agent contains "probethenet") or (http.user_agent contains "proximic") or (http.user_agent contains "psbot") or (http.user_agent contains "RankActive") or (http.user_agent contains "RankingBot") or (http.user_agent contains "RankurBot") or (http.user_agent contains "Reaper") or (http.user_agent contains "SalesIntelligent") or (http.user_agent contains "Semrush") or (http.user_agent contains "SEOkicks") or (http.user_agent contains "spbot") or (http.user_agent contains "SEOstats") or (http.user_agent contains "Snapbot") or (http.user_agent contains "Stripper") or (http.user_agent contains "Siteimprove") or (http.user_agent contains "sitesell") or (http.user_agent contains "Siphon") or (http.user_agent contains "Sucker") or (http.user_agent contains "TenFourFox") or (http.user_agent contains "TurnitinBot") or (http.user_agent contains "trendiction") or (http.user_agent contains "twingly") or (http.user_agent contains "VidibleScraper") or (http.user_agent contains "WebLeacher") or (http.user_agent contains "WebmasterWorldForum") or (http.user_agent contains "webmeup") or (http.user_agent contains "Webster") or (http.user_agent contains "Widow") or (http.user_agent contains "Xaldon") or (http.user_agent contains "Xenu") or (http.user_agent contains "xtractor") or (http.user_agent contains "Zermelo")

你也可以使用规则生成器自行添加:

我自己是把ASN那条删掉再使用的,ASN误杀太高了😂

ASN:自治系统号(Autonomous System Number)的缩写,使用 32 位数字分配唯一标识的自治系统(AS)

将它粘贴到 WAF 规则表达式编辑器,更容易看到匹配规则:

  1. 如果不是经过 Cloudflare 验证的机器人(not cf.client.bot)并且(and) IP 危险分高于 15 分(cf.threat_score gt 15),会匹配规被封禁;

  2. 如果 ASN 来自 XX 云、YY 云、ZZ 云,会匹配规被封禁;

  3. 如果匹配到后面的一些恶意用户代理(User-Agent),会匹配规被封禁

结果如下:

速率限制

合适口子比较大的服务器:如果你的服务器口子很小,时间完全够你将服务器关闭了那么就可以不开

位置还是在WAF处

配置规则如下:

安全性 - WAF - 速率限制规则,创建一条速率限制规则,规则如下:

规则名称随便填一个

速率限制匹配运算符包含输入英文 / 是关键,也代表网站所有目录都匹配

选择操作:阻止 响应类型为 :默认 Cloudflare 速率限制响应(响应类型为 :默认 Cloudflare 速率限制响应,这会告诉访问被阻止,跳转到CF速度限制阻止页面。如果您想告诉您的网站访客发生了什么可以自定义HTML,利用UTF-8编码自己写个中文页面。)

持续时间: 10秒 请求:30 期间:10秒钟

请求:30 网站流量高的话可以再往上调,不要设太高,也不要设太低,最好不要低于20。如果太低了,用户正常访问也会被阻止。 备注:我自己开35自己也被拦截了,建议开高点比如200。

其中排除css、js、jpg、png图片 字体文件等,还需要排除蜘蛛。

自动程序

这里就需要考虑到你的网站有没有与用户的客户端或者其他服务器进行API通信,存在一定误报率。一般使用的程序越老旧就越容易触发误报

是否阻止AI训练爬虫这点随你咯:考虑AI爬虫量少也可以不开

洋葱路由

有些攻击会通过TOR节点绕开CF质询,这里建议关掉

补充说明

CF导致的重定向问题

一般CF的默认加密模式为灵活,所以这里需要自己查看判断了

检查自己的SSL/TLS加密是不是灵活状态?

产生的原因:

在SSL中设置了Flexible模式,CDN使用HTTP协议访问源网站。源网站支持HTTPS,并且设置了HTTP访问时自动跳转到HTTPS。这导致了一个问题:用户通过HTTPS访问CDN,CDN通过HTTP访问源网站,源网站又将HTTP请求重定向到HTTPS,形成了一个循环重定向。当重定向次数过多时,浏览器会报出ERR_TOO_MANY_REDIRECTS错误。

解决方案:

将规则开为完全及严格就行了

推荐开为完全,不然会有些奇奇怪怪的问题

关于上面两种模式

Cloudflare的源服务器CA是一个服务,它可以为你的源服务器生成一个SSL证书。这个服务主要是为了帮助那些没有自己的SSL证书,或者不方便获取SSL证书的用户。

然而,如果你已经有了一个由受信任的证书颁发机构(如Let's Encrypt)签发的证书,那么你并不需要使用Cloudflare的源服务器CA服务。你可以直接在你的源服务器上使用你现有的证书。

  • Flexible SSL:您的网站访问者和Cloudflare之间有加密连接,但是从Cloudflare到您的服务器没有加密。即半程加密。优点在于:你的网站不需要SSL证书,用户也能实现SSL加密访问。

  • Full SSL:全程加密,即从你的网站到CDN服务器再到用户,全程都是SSL加密的。优点在于:只要你的服务器有SSL证书(不管是自签名证书还是购买的SSL),就可以实现SSL加密访问。

  • Full SSL (strict):全程加密,它与Full SSL的区别在于你的服务器必须是安装了那些已经受信任的SSL证书(即购买的SSL证书),否则无法开启SSL加密访问。

我将,点燃星海~