TABLE OF CONTENTS
Introduction
Cloudflare is a Content Delivery Network (CDN) that improves a website’s load speeds and security by acting as a proxy between the website and its visitors. The service, which only requires a change to DNS, stores your website's static resources across its numerous data centers and delivers the cached static content to your site visitors from the nearest servers. In a nutshell, Cloudflare dynamically optimizes your website content across the internet
How to add a site to Cloudflare?
Contact Znode support (https://support.znode.com/support/home) or your account management team to enable Cloudflare for your account. Check your license agreement to confirm if you have Cloudflare options approved.
The below steps are narratives of configurations that the Znode support team will configure on your Cloudflare instance.
Set up SSL/ TLS
To prevent insecure connections and visitor browser errors, enable SSL/TLS protection. Choose this link to set up the appropriate SSL. Set up the minimum TLS Version to TLS 1.2 as shown in Below Screenshot. Steps to enable TLS 1.3 in the dashboard:
- Log in to your Cloudflare account and go to a specific domain
- Navigate to SSL/TLS > Edge Certificates.
- For TLS 1.2, switch the toggle to On.
Setup Standard Cloudflare Rule
Cloudflare services are used to improve the security and performance of web apps and services. If configured accurately, we can achieve the following:
- Exposure of much better filtering and matching capabilities to allow for flexibility of deployment and easier exception handling
- Fewer false positives and more powerful application generic rules
- More control over the sensitivity score
- Identify the attack vector (e.g. XSS, SQLi, RCE)
- Identify rules that are CVE-specific
- Powerful WAF configuration with OWASP ModSecurity Core Ruleset.
Managed Rules
Turn ON the Web Application Firewall (WAF)
Cloudflare Managed Ruleset
Ensure the below ruleset is followed:
Group | Description | Mode |
Cloudflare Drupal | This ruleset should only be enabled if the Drupal CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare Flash | This ruleset should only be enabled if Adobe Flash content is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | On |
Cloudflare Joomla | This ruleset should only be enabled if the Joomla CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare Magneto | This ruleset should only be enabled if the Magento CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare Miscellaneous | Cloudflare Miscellaneous contains rules to deal with known malicious traffic or patch flaws in specific web applications. | On |
Cloudflare Php, | This ruleset should only be enabled if PHP is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare Plone, | This ruleset should only be enabled if the Plone CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare Specials | Cloudflare Specials contain a number of rules that have been created to deal with specific attack types. | On |
Cloudflare Whmcs | This ruleset should only be enabled if WHMCS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare WordPress, | This ruleset should only be enabled if the WordPress CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset. | Off |
Cloudflare Specials
To prevent Cloudflare from blocking SEO bots, modify the following rules from Default to Disable
- 100201: Anomaly:Header: User-Agent - Fake Google Bot
- 100202: Anomaly:Header: User-Agent - Fake Bing or MSN Bot
- 100203: Anomaly:Header: User-Agent - Fake Yandex Bot
OWASP ModSecurity Core Rule Set
OWASP Core Ruleset (2013) provides protection against common attack categories, including SQL Injection and Cross-Site Scripting.
Firewall Rules Setup
Firewall Rules examine the control information in individual packets. The Rules either block or allow those packets based on rules that are defined on these pages.
Bad Bots
Bad bots can steal data, break into user accounts, submit junk data through online forms, and perform other malicious activities. Types of bad bots include credential stuffing bots, content scraping bots, spam bots, and click fraud bots.
It is necessary to have a custom rule to detect and block bad bots from crawling our application.
Create Firewall Rule
Rule Name: Bad Bots
Click Edit Expression and paste the following text
Choose action Block
- Save
Thread score Block Rule
Threat Score from Cloudflare is defined as follows:
- 0 to 9 - Low Risk
- 10 to 40 - Bots and Spammers
- 40 to 100 - Bad Actors or Rogue Bots
Create Firewall Rule
- Rule Name: Threat Score Block Rule
- Click Edit Expression and paste the following text:
- Choose action Block
- Save
Thread score Challenge Rule
- Create Firewall Rule
- Rule Name: Threat Score Challenge Rule
- Click Edit Expression and paste the following text:
- Choose action Block
- Save
Rate Limiter
The task of a rate limiter is to limit the number of requests to or from a system. Rate limiting is used most often to limit the number of incoming requests from the user in order to prevent DoS attacks.
DDOS Protection Rule for Full Domain
Configure the rule as per the below screenshot:
If incoming requests match the Hostname ends with yourdomain.com
Then choose action Legacy captcha (this is a standard action) When the rate exceeds Requests 150 for Period 10 Seconds
