search

Cloudflare security rules

Total Time Required

15 minutes

Difficulty

Easy

Required Knowledge

Crowdsec, Cloudflare

Drawing

hashtag
Prerequisites

circle-exclamation

I recommend setting up a unique stack per domain you manage. This reduces the impact if the API key is leaked.

hashtag
This stack monitors...

  • Crowdsec blocklists

hashtag
... And changes

  • Cloudflare security rules

hashtag
Cloudflare

Generate your API key, get your details and create your security rules

hashtag
Get your Account ID

  1. Browse to https://dash.cloudflare.com/arrow-up-right

  2. Next to your name, click on the 3 dots and select Copy Account ID

  3. Save to your notepad, CF_ACCOUNTID=

hashtag
Get your Zone ID

  1. Browse to https://dash.cloudflare.com/?to=/:account/home/domainsarrow-up-right

  2. Click manage next to your domain

  3. Scroll down and locate "API" on the right

  4. Save your Zone ID to your notepad, CF_ZONE_ID=

hashtag
Generate an API key

  1. Navigate here https://dash.cloudflare.com/profile/api-tokensarrow-up-right

  2. Click on Create token > custom token

    1. Give your token a name and fill out the below permissions

      Account

      Account Filter Lists

      Edit

      Account

      Firewall Access Rules

      Edit

      Zone

      Zone

      Read

      Zone

      Firewall Services

      Edit

    2. Account resources

      Field
      Data

      Include

      All Accounts

    3. Zone resources

      Include

      Specific Zone

      Your Domain

    4. Click on continue to summary

  3. Save your API key to your notepad, CF_APITOKEN=

hashtag
Set your Security rules

Configure some security rules to reduce the risk of malicious actors accessing your domain

  1. Navigate to https://dash.cloudflare.com/arrow-up-right

  2. Select your domain

  3. On the left, click expand Security and select rules

  4. Click on create rule > custom rule

    1. Next to Expression Preview, click on 'edit expression' to get the free text field

  5. Create a rule for each of the below

hashtag
Block bots

This policy will show a Captcha challenge to any IPs suspected of botting

Field
Data

Rule Name

Block Bots

Expression

(cf.client.bot)

Choose action

Managed Challenge

Place at

First

hashtag
Challenge Threat Score

These IPs are potentially malicious. These addresses will be prompted for Captcha

Field
Data

Rule Name

Challenge Threat Score

Expression

(cf.threat_score gt 10)

Choose action

Managed Challenge

Place at

Custom - after 'Block Bots'

hashtag
Block Threat Score

These IPs are very likely to be malicious. These addresses will be blocked

Field
Data

Rule Name

Challenge Threat Score

Expression

(cf.threat_score gt 50)

Choose action

Block

Place at

Custom - after 'Challenge Threat Score'

circle-info

An additional rule will be created by the Crowdsec CF Bouncer container after the Compose file is ran

hashtag
Docker Compose

Fill out the below env using your notes

https://github.com/trentnbauer/HomelabPublic/blob/main/docker-compose/crowdsec-cloudflare.yml
PreviousProxmoxNextProxmox

Last updated