Cloudflare Configuration and Security Options

TABLE OF CONTENTS

Introduction

Cloudflare is a Content Delivery Network (CDN) that improves a website’s load speeds and security by acting as a proxy between the website and its visitors. The service, which only requires a change to DNS, stores your website's static resources across its numerous data centers and delivers the cached static content to your site visitors from the nearest servers. In a nutshell, Cloudflare dynamically optimizes your website content across the internet

How to add a site to Cloudflare?

Contact Znode support (https://support.znode.com/support/home) or your account management team to enable Cloudflare for your account. Check your license agreement to confirm if you have Cloudflare options approved.

The below steps are narratives of configurations that the Znode support team will configure on your Cloudflare instance.


Set up SSL/ TLS

To prevent insecure connections and visitor browser errors, enable SSL/TLS protection. Choose this link to set up the appropriate SSL. Set up the minimum TLS Version to TLS 1.2 as shown in Below Screenshot. Steps to enable TLS 1.3 in the dashboard:

  1. Log in to your Cloudflare account and go to a specific domain
  2. Navigate to SSL/TLS > Edge Certificates.
  3. For TLS 1.2, switch the toggle to On.

Setup Standard Cloudflare Rule

Cloudflare services are used to improve the security and performance of web apps and services. If configured accurately, we can achieve the following:

  1. Exposure of much better filtering and matching capabilities to allow for flexibility of deployment and easier exception handling
  2. Fewer false positives and more powerful application generic rules
  3. More control over the sensitivity score
  4. Identify the attack vector (e.g. XSS, SQLi, RCE)
  5. Identify rules that are CVE-specific
  6. Powerful WAF configuration with OWASP ModSecurity Core Ruleset.


Managed Rules

Turn ON the Web Application Firewall (WAF)


Cloudflare Managed Ruleset

Ensure the below ruleset is followed:

Group

Description

Mode

Cloudflare

Drupal

This ruleset should only be enabled if the Drupal CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off

Cloudflare

Flash

This ruleset should only be enabled if Adobe Flash content is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

On

Cloudflare

Joomla

This ruleset should only be enabled if the Joomla CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off

Cloudflare

Magneto

This ruleset should only be enabled if the Magento CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off

Cloudflare

Miscellaneous

Cloudflare Miscellaneous contains rules to deal with known malicious traffic or patch flaws in specific web applications.

On

Cloudflare

Php,

This ruleset should only be enabled if PHP is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off

Cloudflare

Plone,

This ruleset should only be enabled if the Plone CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off

Cloudflare

Specials

Cloudflare Specials contain a number of rules that have been created to deal with specific attack types.

On

Cloudflare

Whmcs

This ruleset should only be enabled if WHMCS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off

Cloudflare

WordPress,

This ruleset should only be enabled if the WordPress CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.

Off


Cloudflare Specials

To prevent Cloudflare from blocking SEO bots, modify the following rules from Default to Disable

  1. 100201: Anomaly:Header: User-Agent - Fake Google Bot
  2. 100202: Anomaly:Header: User-Agent - Fake Bing or MSN Bot
  3. 100203: Anomaly:Header: User-Agent - Fake Yandex Bot


OWASP ModSecurity Core Rule Set

OWASP Core Ruleset (2013) provides protection against common attack categories, including SQL Injection and Cross-Site Scripting.

Firewall Rules Setup

Firewall Rules examine the control information in individual packets. The Rules either block or allow those packets based on rules that are defined on these pages.

Bad Bots

Bad bots can steal data, break into user accounts, submit junk data through online forms, and perform other malicious activities. Types of bad bots include credential stuffing bots, content scraping bots, spam bots, and click fraud bots.

It is necessary to have a custom rule to detect and block bad bots from crawling our application.

Create Firewall Rule

Rule Name: Bad Bots

Click Edit Expression and paste the following text


Choose action  Block

  • Save

Thread score Block Rule

Threat Score from Cloudflare is defined as follows:

  • 0 to 9 - Low Risk
  • 10 to 40 - Bots and Spammers
  • 40 to 100 - Bad Actors or Rogue Bots

Create Firewall Rule

  • Rule Name: Threat Score Block Rule
  • Click Edit Expression and paste the following text:
  • Choose action Block
  • Save

Thread score Challenge Rule

  • Create Firewall Rule
  • Rule Name: Threat Score Challenge Rule
  • Click Edit Expression and paste the following text:
  • Choose action Block
  • Save

Rate Limiter

The task of a rate limiter is to limit the number of requests to or from a system. Rate limiting is used most often to limit the number of incoming requests from the user in order to prevent DoS attacks.

DDOS Protection Rule for Full Domain

Configure the rule as per the below screenshot:

If incoming requests match the Hostname ends with yourdomain.com 

Then choose action Legacy captcha (this is a standard action) When the rate exceeds Requests 150 for Period 10 Seconds


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.