最新消息 – ECSHOP 響應式模板全新RWD-SHOP

Cloudflare 防火牆規則說明

2022-12-01 shawn最新消息, 網站管理31

Cloudflare防火牆規則使用方法

各分案比較

方案	規則數量	攔截方式	是否允許正則
Free/PRO-plus	5	No Log	No
PRO	20	No Log	No
Business	100	No Log	Yes
Enterprise	1000	All	Yes

部分案例

案例	說明
(ip.src ne 127.0.0.1)	全站開啟驗證碼,訪客IP不是127.0.0.1開啟防禦機制
(not cf.client.bot)	非搜尋引擎的IP進行的訪問進行驗證碼或遮蔽
(not ip.geoip.country in {“CN" “HK" “TW" “MO"} and not cf.client.bot)	訪客不是大陸，香港，台灣，澳門的並且不是搜尋引擎的進行攔截（加入搜尋引擎判斷，防止Google，BING等國外搜尋引擎被攔截）
(not ip.geoip.country in {“CN" “HK" “TW" “MO"} and http.request.full_uri contains “login")	訪客不是大陸，香港，台灣，澳門的並且訪問的連結裡面帶有login的就進行防火牆動作
(ip.geoip.country in {“CN"} and http.request.full_uri contains “login") or (ip.geoip.country in {“CN"} and http.request.full_uri contains “register")	大陸訪客的並且訪問的連結裡面帶有login/或者register的就進行防火牆動作
(not http.referer contains “bnxb.com" and not http.referer contains “baidu.com") or (http.referer eq “")	防盜鏈：來路域名非bnxb.com（含子域名）也非百度下的域名，或者來路為空就觸發防火牆攔截
(http.request.full_uri contains “cdn.bnxb.com" and not ip.geoip.country in {“CN" “HK"})	cdn.bnxb.com這個子域名只允許大陸，香港訪問，其他遮蔽

規則類型及編寫方法

規則名稱	允許類型	說明/範例
http.cookie 字串	eq\ne\contains\not contains\matches\not matches	判斷本地COOKIE是否包含某些特定值支援matches\not matches匹配正則注意兩端需要用括號括起來，可以用and ,or 連接，類似 (not http.cookie contains “session=8521F670545D7865F79C3D7BED C29CCE;-background=light" and ip.geoip.asnum lt 2000) (http.cookie eq “session=8521F670545D7865F79C3D7BED C29CCE;-background=light") (http.cookie ne “session=8521F670545D7865F79C3D7BED C29CCE;-background=light") (http.cookie contains “session=8521F670545D7865F79C3D7BED C29CCE;-background=light") (not http.cookie contains “session=8521F670545D7865F79C3D7BED C29CCE;-background=light")
http.host 字串	eq\ne\contains\not contains\in\not in\matches\not matches	主機名，判斷主機名是否存在設定的值支援正則匹配matches\not matches (http.host eq “bnxb.com") (http.host ne “bnxb.com") (http.host contains “bnxb.com") (not http.host contains “bnxb.com") (http.host in {“bnxb.com" “cdn.bnxb.com"}) (not http.host in {“bnxb.com" “cdn.bnxb.com"})
http.referer 字串	eq\ne\contains\not contains\matches\not matches	判斷來源是否存在設定的值，正常用cotains(包含)和not contains(不包含)支援正則匹配matches\not matches (http.referer contains “bnxb.com") (not http.referer contains “bnxb.com")
http.request.full_uri 字串	eq\ne\contains\not contains\matches\not matches	設定防火牆的網站的某個完整連結，訪客訪問這個連結就會觸發防禦規則，不能含#，正常可以用contains 來判斷域名中含有某個詞的進行攔截或者放行,支援正則匹配matches\not matches (http.request.full_uri eq “https://www.bnxb.com/html/123.html") (http.request.full_uri ne “https://www.bnxb.com/html/123.html") (http.request.full_uri contains “123″) (not http.request.full_uri contains “123″)
http.request.method 字串	eq\ne\in\not in	訪客請求您網站的方式，可選GET,POST,PURGE,PUT,HEAD,OPTIONS,DELETE,PATCH (http.request.method eq “GET") (http.request.method ne “GET") (http.request.method in {“GET" “POST" “PUT"}) (not http.request.method in {“GET" “POST" “PUT"})
http.request.uri 字串	eq\ne\contains\not contains\matches\not matches	您域名的URI (http.request.uri eq “/articles/index?section=539061&expand=comments") (http.request.uri ne “/articles/index?section=539061&expand=comments") (http.request.uri contains “expand=comments") (not http.request.uri contains “expand=comments")
http.request.uri.path 字串	eq\ne\contains\not contains\in\not in\matches\not matches	請求路徑 (http.request.uri.path eq “/articles/index") (http.request.uri.path ne “/articles/index") (http.request.uri.path contains “/articles/index") (not http.request.uri.path contains “/articles/index") (http.request.uri.path in {“/articles/index" “/articles/bnxb" “/bnxb/com"}) (not http.request.uri.path in {“/articles/index" “/articles/bnxb" “/bnxb/com"})
http.request.uri.query 字串	eq\ne\contains\not contains\matches\not matches	query請求參數，也就是?後面的一串 (http.request.uri.query eq “section=539061&expand=comments") (http.request.uri.query ne “section=539061&expand=comments") (http.request.uri.query contains “expand=comments") (not http.request.uri.query contains “expand=comments")
http.request.version 字串	eq\ne\contains\not contains	HTTP請求協議的版本，有以下選項 HTTP/1.0 HTTP/1.1 HTTP/1.2 HTTP/2 HTTP/3 SPDY/3.1 (http.request.version eq “SPDY/3.1″) (http.request.version ne “SPDY/3.1″) (http.request.version in {“SPDY/3.1″ “HTTP/1.1″ “HTTP/2″}) (not http.request.version in {“SPDY/3.1″ “HTTP/1.1″ “HTTP/2″})
http.user_agent 字串	eq\ne\contains\not contain\matches\not matches	使用者瀏覽器標識，推薦使用contains/not contains (http.user_agent eq “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36″) (http.user_agent ne “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36″) (http.user_agent contains “Chrome/65.0.3325.181″) (not http.user_agent contains “Chrome/65.0.3325.181″)
http.x_forwarded_for 字串	eq\ne\contains\not contain\matches\not matches	x-forwarded-for標頭支援matches\not matches匹配正規表示式 (http.x_forwarded_for eq “111.111.11.11″) (http.x_forwarded_for ne “111.111.11.11″) (http.x_forwarded_for contains “11.11″) (not http.x_forwarded_for contains “11.11″)
ip.src IP位址	eq\ne\in\not in	客戶端IP地址 (ip.src eq 192.0.2.0) (ip.src ne 192.0.2.0) (ip.src in {192.0.2.0 192.0.3.0 192.168.1.1}) (not ip.src in {192.0.2.0 192.0.3.0 192.168.1.1})
ip.geoip.asnum 數字	eq\ne\gt\lt\ge\le\in\not in	訪客IP所屬的AS號,gt-大於，lt-小於，ge-大於等於,le-小於等於 (ip.geoip.asnum eq 13335) (ip.geoip.asnum ne 13335) (ip.geoip.asnum gt 13335) (ip.geoip.asnum lt 13335) (ip.geoip.asnum ge 13335) (ip.geoip.asnum le 13335) (ip.geoip.asnum in {13335 13332 11112}) (not ip.geoip.asnum in {13335 13332 11112})
ip.geoip.continent 字串	eq\ne\in\not in	訪客所屬的洲(7大洲)，洲程式碼如下: AF – 非洲 AN – 南極洲 AS – 亞洲 EU – 歐洲 NA – 北美洲 OC – 大洋洲 SA – 南美洲 ( 或者 T1 代表 Tor網路) (ip.geoip.continent eq “AS") (ip.geoip.continent ne “AS") (ip.geoip.continent in {“AS" “AF" “EU" “OC"}) (not ip.geoip.continent in {“AS" “AF" “EU" “OC"})
ip.geoip.country 字串	eq\ne\in\not in	訪客所屬國家，使用二位英文字母標識國別，詳見http://tool.bnxb.com/domainname.html (ip.geoip.country eq “CN") (ip.geoip.country ne “CN") (ip.geoip.country in {“CN" “HK" “TW" “MO"}) (not ip.geoip.country in {“CN" “HK" “TW" “MO"})
ip.geoip.subdivision_1_iso_code 字串		If known, the ISO 3166-2 code for the first level region associated with the IP address. 1 If not known, this is an empty string. GB-ENG
ip.geoip.subdivision_2_iso_code 字串		If known, the ISO 3166-2 code for the second level region associated with the IP address. If not known, this is an empty string. GB-SWK
ip.geoip.is_in_european_union 布林		True if this is an EU country true
Ssl 布林		是否使用HTTPS
cf.client.bot 布林		基於各家搜尋引擎IP段判斷是否放行(支援Google,yahoo,yandex,apple,archive,bing,feedbin,grapeshot,linkedin,mail.ru,naver,pingdom,pinterest,seznam,uptimerobot) (cf.client.bot) (not cf.client.bot)
cf.threat_score 數字	eq\ne\gt\lt\ge\le\in\not in	訪客IP的威脅評分等級，越大說明CF對這個IP視為越危險，10分以上均屬於較不安全的IP，40分以上屬於對網際網路有過攻擊行為的IP，因此可以設定10分以上顯示驗證碼，50分以上攔截。（這個設定與防禦等級設定是使用同一套評分系統，防禦等級高-分值>0,防禦等級中-分值>14,防禦等級低-分值>24,防禦等級半關閉-分值>49） (cf.threat_score eq 2) (cf.threat_score ne 2) (cf.threat_score gt 2) (cf.threat_score lt 2) (cf.threat_score ge 2) (cf.threat_score le 2) (cf.threat_score in {2 5 8}) (not cf.threat_score in {2 5 8})
cf.tls_client_auth.cert_verified 布林		已驗證客戶端證書 (cf.tls_client_auth.cert_verified) (not cf.tls_client_auth.cert_verified)

規則名稱

允許類型

說明/範例

http.cookie

字串

eq\ne\contains\not contains\matches\not matches

判斷本地COOKIE是否包含某些特定值支援matches\not matches匹配正則

注意兩端需要用括號括起來，可以用and ,or 連接，類似

(not http.cookie contains “session=8521F670545D7865F79C3D7BED C29CCE;-background=light" and ip.geoip.asnum lt 2000)

(http.cookie eq “session=8521F670545D7865F79C3D7BED C29CCE;-background=light")

(http.cookie ne “session=8521F670545D7865F79C3D7BED C29CCE;-background=light")

(http.cookie contains “session=8521F670545D7865F79C3D7BED C29CCE;-background=light")

(not http.cookie contains “session=8521F670545D7865F79C3D7BED C29CCE;-background=light")

http.host

字串

eq\ne\contains\not contains\in\not in\matches\not matches

主機名，判斷主機名是否存在設定的值支援正則匹配matches\not matches

(http.host eq “bnxb.com")

(http.host ne “bnxb.com")

(http.host contains “bnxb.com")

(not http.host contains “bnxb.com")

(http.host in {“bnxb.com" “cdn.bnxb.com"})

(not http.host in {“bnxb.com" “cdn.bnxb.com"})

http.referer

字串

eq\ne\contains\not contains\matches\not matches

判斷來源是否存在設定的值，正常用cotains(包含)和not contains(不包含)支援正則匹配matches\not matches

(http.referer contains “bnxb.com")

(not http.referer contains “bnxb.com")

http.request.full_uri

字串

eq\ne\contains\not contains\matches\not matches

設定防火牆的網站的某個完整連結，訪客訪問這個連結就會觸發防禦規則，不能含#，正常可以用contains 來判斷域名中含有某個詞的進行攔截或者放行,支援正則匹配matches\not matches

(http.request.full_uri eq “https://www.bnxb.com/html/123.html")

(http.request.full_uri ne “https://www.bnxb.com/html/123.html")

(http.request.full_uri contains “123″)

(not http.request.full_uri contains “123″)

http.request.method

字串

eq\ne\in\not in

訪客請求您網站的方式，可選GET,POST,PURGE,PUT,HEAD,OPTIONS,DELETE,PATCH

(http.request.method eq “GET")

(http.request.method ne “GET")

(http.request.method in {“GET" “POST" “PUT"})

(not http.request.method in {“GET" “POST" “PUT"})

http.request.uri

字串

eq\ne\contains\not contains\matches\not matches

您域名的URI

(http.request.uri eq “/articles/index?section=539061&expand=comments")

(http.request.uri ne “/articles/index?section=539061&expand=comments")

(http.request.uri contains “expand=comments")

(not http.request.uri contains “expand=comments")

http.request.uri.path

字串

eq\ne\contains\not contains\in\not in\matches\not matches

請求路徑

(http.request.uri.path eq “/articles/index")

(http.request.uri.path ne “/articles/index")

(http.request.uri.path contains “/articles/index")

(not http.request.uri.path contains “/articles/index")

(http.request.uri.path in {“/articles/index" “/articles/bnxb" “/bnxb/com"})

(not http.request.uri.path in {“/articles/index" “/articles/bnxb" “/bnxb/com"})

http.request.uri.query

字串

eq\ne\contains\not contains\matches\not matches

query請求參數，也就是?後面的一串

(http.request.uri.query eq “section=539061&expand=comments")

(http.request.uri.query ne “section=539061&expand=comments")

(http.request.uri.query contains “expand=comments")

(not http.request.uri.query contains “expand=comments")

http.request.version

字串

eq\ne\contains\not contains

HTTP請求協議的版本，有以下選項

HTTP/1.0

HTTP/1.1

HTTP/1.2

HTTP/2

HTTP/3

SPDY/3.1

(http.request.version eq “SPDY/3.1″)

(http.request.version ne “SPDY/3.1″)

(http.request.version in {“SPDY/3.1″ “HTTP/1.1″ “HTTP/2″})

(not http.request.version in {“SPDY/3.1″ “HTTP/1.1″ “HTTP/2″})

http.user_agent

字串

eq\ne\contains\not contain\matches\not matches

使用者瀏覽器標識，推薦使用contains/not contains

(http.user_agent eq “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36″)

(http.user_agent ne “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36″)

(http.user_agent contains “Chrome/65.0.3325.181″)

(not http.user_agent contains “Chrome/65.0.3325.181″)

http.x_forwarded_for

字串

eq\ne\contains\not contain\matches\not matches

x-forwarded-for標頭支援matches\not matches匹配正規表示式

(http.x_forwarded_for eq “111.111.11.11″)

(http.x_forwarded_for ne “111.111.11.11″)

(http.x_forwarded_for contains “11.11″)

(not http.x_forwarded_for contains “11.11″)

ip.src

IP位址

eq\ne\in\not in

客戶端IP地址

(ip.src eq 192.0.2.0)

(ip.src ne 192.0.2.0)

(ip.src in {192.0.2.0 192.0.3.0 192.168.1.1})

(not ip.src in {192.0.2.0 192.0.3.0 192.168.1.1})

ip.geoip.asnum

數字

eq\ne\gt\lt\ge\le\in\not in

訪客IP所屬的AS號,gt-大於，lt-小於，ge-大於等於,le-小於等於

(ip.geoip.asnum eq 13335)

(ip.geoip.asnum ne 13335)

(ip.geoip.asnum gt 13335)

(ip.geoip.asnum lt 13335)

(ip.geoip.asnum ge 13335)

(ip.geoip.asnum le 13335)

(ip.geoip.asnum in {13335 13332 11112})

(not ip.geoip.asnum in {13335 13332 11112})

ip.geoip.continent

字串

eq\ne\in\not in

訪客所屬的洲(7大洲)，洲程式碼如下:

AF – 非洲
AN – 南極洲
AS – 亞洲
EU – 歐洲
NA – 北美洲
OC – 大洋洲
SA – 南美洲

( 或者 T1 代表 Tor網路)

(ip.geoip.continent eq “AS")

(ip.geoip.continent ne “AS")

(ip.geoip.continent in {“AS" “AF" “EU" “OC"})

(not ip.geoip.continent in {“AS" “AF" “EU" “OC"})

ip.geoip.country

字串

eq\ne\in\not in

訪客所屬國家，使用二位英文字母標識國別，詳見http://tool.bnxb.com/domainname.html

(ip.geoip.country eq “CN")

(ip.geoip.country ne “CN")

(ip.geoip.country in {“CN" “HK" “TW" “MO"})

(not ip.geoip.country in {“CN" “HK" “TW" “MO"})

ip.geoip.subdivision_1_iso_code

字串

If known, the ISO 3166-2 code for the first level region associated with the IP address. 1 If not known, this is an empty string.

GB-ENG

ip.geoip.subdivision_2_iso_code

字串

If known, the ISO 3166-2 code for the second level region associated with the IP address. If not known, this is an empty string.

GB-SWK

ip.geoip.is_in_european_union

布林

True if this is an EU country

true

Ssl

布林

是否使用HTTPS

cf.client.bot

布林

基於各家搜尋引擎IP段判斷是否放行(支援Google,yahoo,yandex,apple,archive,bing,feedbin,grapeshot,linkedin,mail.ru,naver,pingdom,pinterest,seznam,uptimerobot)

(cf.client.bot)

(not cf.client.bot)

cf.threat_score

數字

eq\ne\gt\lt\ge\le\in\not in

訪客IP的威脅評分等級，越大說明CF對這個IP視為越危險，10分以上均屬於較不安全的IP，40分以上屬於對網際網路有過攻擊行為的IP，因此可以設定10分以上顯示驗證碼，50分以上攔截。（這個設定與防禦等級設定是使用同一套評分系統，防禦等級高-分值>0,防禦等級中-分值>14,防禦等級低-分值>24,防禦等級半關閉-分值>49）

(cf.threat_score eq 2)

(cf.threat_score ne 2)

(cf.threat_score gt 2)

(cf.threat_score lt 2)

(cf.threat_score ge 2)

(cf.threat_score le 2)

(cf.threat_score in {2 5 8})

(not cf.threat_score in {2 5 8})

cf.tls_client_auth.cert_verified

布林

已驗證客戶端證書

(cf.tls_client_auth.cert_verified)