https://github.com/kamrullab/cloudflare-security-rules
This repository provides a complete Cloudflare WAF setup guide, including custom rules for bot protection, country blocking, and CAPTCHA verification. Learn how to configure firewall settings step by step to secure your website against threats.
https://github.com/kamrullab/cloudflare-security-rules
bot-protection captcha cloudflare cloudflare-rules cloudflare-security cloudflare-waf cloudflare-waf-rules custom-rules custom-rulesets cybersecurity ddos-protection firewall ip-blocking security security-rules waf waf-configuration web-application-firewall website-protection
Last synced: 3 months ago
JSON representation
This repository provides a complete Cloudflare WAF setup guide, including custom rules for bot protection, country blocking, and CAPTCHA verification. Learn how to configure firewall settings step by step to secure your website against threats.
- Host: GitHub
- URL: https://github.com/kamrullab/cloudflare-security-rules
- Owner: kamrullab
- License: mit
- Created: 2025-03-02T08:50:39.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2025-03-02T09:03:51.000Z (4 months ago)
- Last Synced: 2025-03-02T10:19:23.363Z (3 months ago)
- Topics: bot-protection, captcha, cloudflare, cloudflare-rules, cloudflare-security, cloudflare-waf, cloudflare-waf-rules, custom-rules, custom-rulesets, cybersecurity, ddos-protection, firewall, ip-blocking, security, security-rules, waf, waf-configuration, web-application-firewall, website-protection
- Homepage:
- Size: 4.88 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# π₯ Cloudflare Web Application Firewall (WAF) and Security Setup
## π Overview
This repository provides a complete **step-by-step guide** to setting up and configuring **Cloudflare Web Application Firewall (WAF)**. It helps protect websites against **malicious attacks, bot traffic, and unauthorized access**. This guide includes the process of **creating custom rules**, **understanding firewall settings**, and **applying CAPTCHA verification** to enhance security and performance.
---
# π **How to Create Cloudflare WAF Rules (Step-by-Step Guide)**
## π **Step 1: Accessing Cloudflare Security Settings**
1. **π Login to Cloudflare**: Go to [Cloudflare Dashboard](https://dash.cloudflare.com/) and log in.
2. **π Select Your Website**: Click on the website you want to protect.
3. **π‘οΈ Navigate to WAF**: In the left sidebar, go to **Security > WAF (Web Application Firewall)**.
4. **βοΈ Go to Custom Rules**: Click on the **Custom Rules** tab.
## ποΈ **Step 2: Creating a New Custom Rule**
1. Click on **β Create Rule**.
2. Enter a **π Rule Name** (e.g., `CAPTCHA SKIP` for bots).
3. Choose a **π Field** (e.g., `User Agent` to detect bots).
4. Select an **βοΈ Operator** (e.g., `contains` to match specific bots).
5. Enter a **π₯ Value** (e.g., `Googlebot` for Google Search bot).
6. Choose an **π Action** (e.g., `Skip` for trusted bots, `Block` for countries, or `Managed Challenge` for CAPTCHA).
7. Set the **π Placement Order** (first, after another rule, etc.).
8. Click **πΎ Save** and ensure the rule is **β
Enabled**.
---
# π― **Custom Rules Configuration (Basic to Advanced)**
Below are **three essential WAF rules**, explained in three formats: **Table Format, Copyable Code Format, and Detailed Explanation**.
---
## **1οΈβ£ CAPTCHA SKIP Rule (Allowing Search Engine Bots) π€**
### β
**π Table Format**
| **π Field** | **βοΈ Operator** | **π₯ Value** |
|--------------|------------|----------------------|
| User Agent | contains | facebookexternalhit |
| OR | contains | TwitterBot |
| OR | contains | LinkedInBot |
| OR | contains | Googlebot |
| OR | contains | Bingbot |
| **π Action** | **Skip** | |
| **π Placement**| **First** | |
### β
**π Copyable Code Format**
```
Rule Name: CAPTCHA SKIP
Field: User Agent
Operator: contains
Value: facebookexternalhit
OR
Field: User Agent
Operator: contains
Value: TwitterBot
OR
Field: User Agent
Operator: contains
Value: LinkedInBot
OR
Field: User Agent
Operator: contains
Value: Googlebot
OR
Field: User Agent
Operator: contains
Value: Bingbot
Action: Skip
Placement: First
```
### β
**π Detailed Explanation**
- **π― Purpose**: This rule allows legitimate search engine bots to access your website **without being blocked** by CAPTCHA.
- **π Field**: `User Agent` checks if the visitor is a bot.
- **βοΈ Operator**: `contains` applies if the botβs name appears.
- **π₯ Values**: Recognized search bots like `Googlebot`, `Bingbot`, etc.
- **π Action**: `Skip` allows these bots to bypass security checks.
- **π Placement**: This rule should be **first** in order.
---
## **2οΈβ£ COUNTRY BLOCK Rule (Blocking Specific Countries) π**
### β
**π Table Format**
| **π Field** | **βοΈ Operator** | **π₯ Value** |
|-----------|------------|-------------------|
| Country | equals | United Kingdom |
| OR | equals | United States |
| **π Action**| **Block** | |
| **π Placement**| **After CAPTCHA SKIP** | |
### β
**π Copyable Code Format**
```
Rule Name: COUNTRY BLOCK
Field: Country
Operator: equals
Value: United Kingdom
OR
Field: Country
Operator: equals
Value: United States
Action: Block
Placement: After CAPTCHA SKIP
```
### β
**π Detailed Explanation**
- **π― Purpose**: Blocks traffic from selected countries to **prevent fraud or unwanted access**.
- **π Field**: `Country` checks the visitorβs location.
- **βοΈ Operator**: `equals` applies only to the listed countries.
- **π₯ Values**: `United Kingdom`, `United States` (can add more if needed).
- **π Action**: `Block` denies access to these users.
- **π Placement**: Should be **after the CAPTCHA SKIP rule**.
---
## **3οΈβ£ CAPTCHA ON Rule (Adding Verification for Suspicious Traffic) π**
### β
**π Table Format**
| **π Field** | **βοΈ Operator** | **π₯ Value** |
|-----------|------------|-------------------|
| Hostname | wildcard | mail.kamrul.us |
| OR | wildcard | kamrul.us/SOFT |
| OR | wildcard | kamrul.us |
| **π Action**| **Managed Challenge** | |
| **π Placement**| **After COUNTRY BLOCK** | |
### β
**π Copyable Code Format**
```
Rule Name: CAPTCHA ON
Field: Hostname
Operator: wildcard
Value: mail.kamrul.us
OR
Field: Hostname
Operator: wildcard
Value: kamrul.us/SOFT
OR
Field: Hostname
Operator: wildcard
Value: kamrul.us
Action: Managed Challenge
Placement: After COUNTRY BLOCK
```
### β
**π Detailed Explanation**
- **π― Purpose**: Protects sensitive pages by forcing visitors to pass a CAPTCHA challenge.
- **π Field**: `Hostname` applies the rule to specific site sections.
- **βοΈ Operator**: `wildcard` matches similar URLs.
- **π Action**: `Managed Challenge` presents CAPTCHA verification.
- **π Placement**: Runs **after COUNTRY BLOCK rule**.
---
## π **Final Verification & Troubleshooting**
### β
**How to Check if Rules Are Working?**
1. **π οΈ Test the site from different locations** (use VPN for testing country blocks).
2. **π Use browser developer tools** (F12 > Network > Inspect HTTP headers).
3. **π Check Cloudflare Security Logs** (Security > WAF > Logs).
---
## π **License & Contact**
This guide is open-source under the MIT License.
For further support, contact **kamrul.us Admin** or visit [Cloudflare Support](https://support.cloudflare.com/).
