Cloudflare is Awesome!
Disclaimer & Intro
This post has been made as my notes, even though I attempt to explain what I have setup/built and how, I do not owe anyone any explanation. Do NOT expect anything.
My blog is my garden.
Cloudflare as a service/company is truly awesome! I cannot stress on this enough.
Before I started using/recommending cloudflare free plan to almost every client/friend, I used to prefer cPanel based cheap-cost hosting for most of the projects/solutions/clients out there.
if you have been living under a rock for some time and have not seen/heard about cloudflare, let me put it this way:
Cloudflare is the only platform in the world that allows you to do all of these things for free:
- Point a domain you own to it(CF) in Full DNS mode (Allowing Cloudlfare to be source of truth for all DNS records)
- Easy and free setup of DNSSEC
- 5 Custom rules for Cloudflare WAF (This is enough for 85% of sites/projects)
- 65 Cloudflare Rules (Amazing but are use case dependent)
- Free Managed SSL/TLS (With option to enforce ONLY TLS 1.3)
- Amazing Caching
- Good Enough Bot Blocking
- Unmetered DDoS Protection (Layer 3 to Layer 7 of OSI Model)
Custom WAF Rules
Below are some rules I always deploy for any project/site/client (almost always) regardless the nature of their undertaking.
- BLOCK_BOTS:
- Rule: (cf.client.bot or cf.threat_score gt 60)
- The above simply Blocks confirmed and semi-confirmed bots ref: Cloudflare Bots Documentation
- ACTION: Block
- BLOCKRISKYCOUNTRIES:
- Rule: (ip.src.country in {"AF" "AL" "DZ" "AZ" "BH" "BD" "BJ" "BN" "BF" "CM" "TD" "CN" "KM" "CI" "DJ" "EG" "GA" "GM" "GN" "GW" "GY" "HK" "ID" "IR" "IQ" "JO" "KZ" "KP" "KW" "KG" "LB" "LY" "MY" "MV" "ML" "MR" "MA" "MZ" "NE" "NG" "OM" "PK" "PS" "QA" "SA" "SN" "SL" "SO" "SD" "SR" "SY" "TW" "TJ" "TG" "TN" "TR" "TM" "UG" "AE" "UZ" "YE" "T1" "CA"})
- The above simply Blocks ALL traffic from High Risk Countries
- ACTION: Block
- BLOCKCOMMONSCANNERS:
- Rule: (http.useragent contains "arachni") or (http.useragent contains "betabot") or (http.useragent contains "bewica-security-scan") or (http.useragent contains "BFAC") or (http.useragent contains "commix") or (http.useragent contains "Detectify") or (http.useragent contains "dirbuster") or (http.useragent contains "fimap") or (http.useragent contains "fuzz faster") or (http.useragent contains "gobuster") or (http.useragent contains "havij") or (http.useragent contains "hexometer") or (http.useragent contains "jbrofuzz") or (http.useragent contains "jorgee") or (http.useragent contains "libwhisker") or (http.useragent contains "masscan") or (http.useragent contains "morfeus") or (http.useragent contains "Mozlila") or (http.useragent contains "nessus") or (http.useragent contains "netlab360") or (http.useragent contains "netsparker") or (http.useragent contains "nikto") or (http.useragent contains "nmap") or (http.useragent contains "nuclei") or (http.useragent contains "openvas") or (http.useragent contains "sitelockspider") or (http.useragent contains "sqlmap") or (http.useragent contains "sysscan") or (http.useragent contains "TsunamiSecurityScanner") or (http.useragent contains "w3af.org") or (http.useragent contains "webbandit") or (http.useragent contains "webshag") or (http.useragent contains "wfuzz") or (http.useragent contains "whatweb") or (http.useragent contains "wprecon") or (http.useragent contains "wpscan") or (http.useragent contains "zgrab") or (http.useragent contains "zmeu") or (http.useragent contains "python") or (http.useragent contains "java") or (http.useragent contains "Go-http-client") or (http.useragent contains "fasthttp") or (http.useragent contains "scrapy" and not cf.client.bot) or (http.useragent contains "spider" and not cf.client.bot) or (http.useragent contains "crawl" and not cf.client.bot) or (http.useragent eq "") or (http.useragent eq " ") or (http.useragent eq "-") or (http.user_agent eq "'")
- The above is a slightly complex rule that aims to block most common scanning tools/scripts.
- ACTION: Block
- RISKREDUCTION:
- Rule: (http.request.uri eq "https://sefinek.net/milosna-grota/verification/upload") or (http.request.uri.path contains ".php") or (http.user
- This Rule focuses on reducing the risk from various parties by providing them with a Managed Challenge.
- ACTION: Managed Challenge
Cloudflare Page Shield
Nothing much to say here, Make sure to turn on Page Shield inside Security.
Other Options
Basic Bot Block + AI Bot Block
Goto Security->Bots and turn on the both the options in there:
Security Level
I like to run all my sites in "HIGH" security level but medium also works.
Optimizations/Speed
You probably should enable these options for improving the performance of your website:
In Speed->Optimization->Content Optimization :
- Speed Brain
- Cloudflare Fonts
- Early Hints
- Smart Hints
- Rocket Loaderâ„¢
In Speed->Optimization->Protocol Optimization :
- HTTP/2 to Origin
- HTTP/3 (with QUIC)
- 0-RTT Connection Resumption
In Speed->Optimization->Other :
- AMP Real URL
You may also play around with other Cloudflare Rules like Compression Rules. I usually just use ZSTD with ALL INCOMING REQUESTS.
I have been hit with DDOS attacks multiple times, which CF has been able to mitigate within an hour. Below is the first DDOS this site was ever hit with:
That is it! Hope this post empowers you to point your domain to CF and test it out for yourself!
