通过拒绝所有不存在 CF-RAY header 的流量,仅允许 .htaccess 中的 Cloudflare 流量
Allow only Cloudflare traffic in .htaccess by denying all traffic with no CF-RAY header present
出于安全原因,我想在 .htaccess 中限制所有不是来自 Cloudflare 的流量。我已经编写了阻止所有非 Cloudflare IP 的脚本,但在某些主机上它不起作用。我想检查请求 header 是否包含 header CF-RAY,无论值如何,如果不包含,则 return 403 错误。
感谢您的任何建议!
试试:
RewriteCond %{HTTP:CF-RAY} ^$
RewriteRule ^ - [F,L]
如果出于安全原因使用 header 是危险的。从其他来源向您发送此 header 毫不费力。
最好通过IP限制来自CloudFlare的请求
https://www.cloudflare.com/ips/
如果是 Apache,你可以在 .htaccess 中添加这样的东西
deny from all
allow from ... (one row for every range in above url)
是的,将它放在 .htaccess 文件的顶部即可轻松做到这一点
#apache_2.4_cloudflare_bypass_protection_htaccess
#Place in top of .htaccess in document root that needs protected
#
## References
#https://docs.sucuri.net/website-firewall/configuration/prevent-sucuri-firewall-bypass/
#https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-firewall-for-testing/
#https://community.cloudflare.com/t/prevent-users-bypassing-cloudflare-to-access-my-site/4606
#https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
#https://www.cloudflare.com/ips/
#https://support.cloudflare.com/hc/en-us/articles/204899617
# BEGIN Cloudflare Firewall Bypass Prevention
#Apache 2.4 Server
<FilesMatch ".*">
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
# Allow from INSERT YOUR IP HERE
</FilesMatch>
# END Cloudflare Firewall Bypass Prevention
完全免责声明:我有一个 git 存储库,其中包含 Sucuri/Cloudflare 和 Openlitespeed/Litespeed/Apache 的预制存储库。
https://gitlab.com/mikeramsey/apache-htaccess-rules/-/tree/master/
出于安全原因,我想在 .htaccess 中限制所有不是来自 Cloudflare 的流量。我已经编写了阻止所有非 Cloudflare IP 的脚本,但在某些主机上它不起作用。我想检查请求 header 是否包含 header CF-RAY,无论值如何,如果不包含,则 return 403 错误。 感谢您的任何建议!
试试:
RewriteCond %{HTTP:CF-RAY} ^$
RewriteRule ^ - [F,L]
如果出于安全原因使用 header 是危险的。从其他来源向您发送此 header 毫不费力。
最好通过IP限制来自CloudFlare的请求 https://www.cloudflare.com/ips/
如果是 Apache,你可以在 .htaccess 中添加这样的东西
deny from all
allow from ... (one row for every range in above url)
是的,将它放在 .htaccess 文件的顶部即可轻松做到这一点
#apache_2.4_cloudflare_bypass_protection_htaccess
#Place in top of .htaccess in document root that needs protected
#
## References
#https://docs.sucuri.net/website-firewall/configuration/prevent-sucuri-firewall-bypass/
#https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-firewall-for-testing/
#https://community.cloudflare.com/t/prevent-users-bypassing-cloudflare-to-access-my-site/4606
#https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
#https://www.cloudflare.com/ips/
#https://support.cloudflare.com/hc/en-us/articles/204899617
# BEGIN Cloudflare Firewall Bypass Prevention
#Apache 2.4 Server
<FilesMatch ".*">
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
# Allow from INSERT YOUR IP HERE
</FilesMatch>
# END Cloudflare Firewall Bypass Prevention
完全免责声明:我有一个 git 存储库,其中包含 Sucuri/Cloudflare 和 Openlitespeed/Litespeed/Apache 的预制存储库。 https://gitlab.com/mikeramsey/apache-htaccess-rules/-/tree/master/