Cloudflare security rules

Total Time Required

15 minutes

Difficulty

Easy

Required Knowledge

Crowdsec, Cloudflare

Prerequisites

Crowdsec account
You have subscribed to atleast 1 block list
Your Crowdsec enrollment key

I recommend setting up a unique stack per domain you manage. This reduces the impact if the API key is leaked.

This stack monitors...

Crowdsec blocklists

... And changes

Cloudflare security rules

Cloudflare

Generate your API key, get your details and create your security rules

Get your Account ID

Browse to https://dash.cloudflare.com/
Next to your name, click on the 3 dots and select Copy Account ID
Save to your notepad, CF_ACCOUNTID=

Get your Zone ID

Browse to https://dash.cloudflare.com/?to=/:account/home/domains
Click manage next to your domain
Scroll down and locate "API" on the right
Save your Zone ID to your notepad, CF_ZONE_ID=

Generate an API key

Navigate here https://dash.cloudflare.com/profile/api-tokens
Click on Create token > custom token
1. Give your token a name and fill out the below permissions
  Account
  Account Filter Lists
  Edit
  Account
  Firewall Access Rules
  Edit
  Zone
  Zone
  Read
  Zone
  Firewall Services
  Edit
2. Account resources
  Field
  Data
  Include
  All Accounts
3. Zone resources
  Include
  Specific Zone
  Your Domain
4. Click on continue to summary
Save your API key to your notepad, CF_APITOKEN=

Set your Security rules

Configure some security rules to reduce the risk of malicious actors accessing your domain

Navigate to https://dash.cloudflare.com/
Select your domain
On the left, click expand Security and select rules
Click on create rule > custom rule
1. Next to Expression Preview, click on 'edit expression' to get the free text field
Create a rule for each of the below

Block bots

This policy will show a Captcha challenge to any IPs suspected of botting

Field

Data

Rule Name

Block Bots

Expression

(cf.client.bot)

Choose action

Managed Challenge

Place at

First

Challenge Threat Score

These IPs are potentially malicious. These addresses will be prompted for Captcha

Field

Data

Rule Name

Challenge Threat Score

Expression

(cf.threat_score gt 10)

Choose action

Managed Challenge

Place at

Custom - after 'Block Bots'

Block Threat Score

These IPs are very likely to be malicious. These addresses will be blocked

Field

Data

Rule Name

Challenge Threat Score

Expression

(cf.threat_score gt 50)

Choose action

Block

Place at

Custom - after 'Challenge Threat Score'

An additional rule will be created by the Crowdsec CF Bouncer container after the Compose file is ran

Docker Compose

Fill out the below env using your notes

# --- CrowdSec Engine Settings ---
CROWDSEC_ENROLL_KEY=

# --- Cloudflare Credentials ---
CF_APITOKEN=
CF_ACCOUNTID=
CF_ZONE_ID=

https://github.com/trentnbauer/HomelabPublic/blob/main/docker-compose/crowdsec-cloudflare.yml

services:
  engine:
    image: crowdsecurity/crowdsec:v1.7.8@sha256:2f527c9bb8b367120eb08b82890aa912ce96bfa1ada93dda0721700e4b4e0dde
    labels:
      - AH.CS.Cloudflare=true
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
    restart: unless-stopped
    depends_on:
      init:
        condition: service_completed_successfully
    environment:
      - COLLECTIONS=crowdsecurity/linux crowdsecurity/whitelist-good-actors
      - BOUNCER_KEY_CLOUDFLARE=${BOUNCER_KEY:-Heroics9HeadrestQuenchHullPatriot}
      - ENROLL_INSTANCE_NAME=Cloudflare
      - DISABLE_LOCAL_API=false
      - DISABLE_ONLINE_API=false
      - ENROLL_KEY=${CROWDSEC_ENROLL_KEY}
    volumes:
      - data:/var/lib/crowdsec/data
      - config:/etc/crowdsec
      - bouncer:/etc/bouncer-shared
      - /var/log/auth.log://var/log/auth.log:ro
    healthcheck:  
      test: ["CMD", "cscli", "version"]
      interval: 30s
      timeout: 10s
      retries: 5
    labels:
      - PelicanAutoheal=true
    networks:
      Management:
        aliases:
          - crowdsec

  bouncer:
    image: ghcr.io/crowdsecurity/cloudflare-bouncer:v0.3.0@sha256:39719a070c154866ebc81335e70fdfa1c61eac45025fee7d9bbf8da689fbb2c6
    labels:
      - AH.CS.Cloudflare=true
    deploy:
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 6
        window: 60s
    restart: unless-stopped
    depends_on:
      engine:
        condition: service_healthy
    environment:
      - API_URL=http://crowdsec:8080
      - API_KEY=${BOUNCER_KEY:-Heroics9HeadrestQuenchHullPatriot}
      - CF_APITOKEN=${CF_APITOKEN}
      - CF_ACCOUNTID=${CF_ACCOUNTID}
      - CF_ZONE_ID=${CF_ZONE_ID}
    volumes:
      - bouncer:/etc/crowdsec/bouncers/:rw
      - /etc/localtime:/etc/localtime:ro
    networks:
      Management:
        aliases:
          - bouncer

  init:
    image: alpine:latest
    volumes:
      - config:/etc/crowdsec
      - bouncer:/etc/crowdsec/bouncers
    command: >
      sh -c "apk add --no-cache wget ca-certificates &&
             mkdir -p /etc/crowdsec/acquisitions.d /etc/crowdsec/bouncers &&
             wget -qO /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/crowdsec-cloudflare-bouncer.yaml &&
             wget -qO /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/crowdsec-firewall-bouncer.yaml"

  autoheal:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 5
        window: 120s
    environment:
      AUTOHEAL_CONTAINER_LABEL: AH.CS.Cloudflare
      AUTOHEAL_INTERVAL: 60
      AUTOHEAL_START_PERIOD: 240
      AUTOHEAL_DEFAULT_STOP_TIMEOUT: 60
      WEBHOOK_URL: ${AUTOHEAL_WEBHOOK:-}
    image: willfarrell/autoheal@sha256:16c4c3d8c9bdfa5e842f18863556d2a5c685d33cea62a6da9dfbc6ea941df77c
    restart: always
    network_mode: none
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock

networks:
    crowdsec:

volumes:
  config:
  bouncer:
  data:

PreviousProxmox NextPortainer

Last updated 4 months ago