出于安全原因,我想在.htaccess中限制所有无法通过CloudFlare来的流量。我已经有脚本可以阻止所有非Cloudflare IP,但是在某些托管中,它就不起作用。我想检查请求标头是否包含标头CF射线,无论价值如何,如果没有,则返回403错误。谢谢您的任何建议!
如果出于安全原因使用标头是危险的。从另一个来源向您发送此标头是毫不费力的。
最好将IP限制到Cloudflare的请求https://www.cloudflare.com/ips/
如果是apache,则可以在.htaccess
中添加类似的东西deny from all
allow from ... (one row for every range in above url)
是的
#apache_2.4_cloudflare_bypass_protection_htaccess
#Place in top of .htaccess in document root that needs protected
#
## References
#https://docs.sucuri.net/website-firewall/configuration/prevent-sucuri-firewall-bypass/
#https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-firewall-for-testing/
#https://community.cloudflare.com/t/prevent-users-bypassing-cloudflare-to-access-my-site/4606
#https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
#https://www.cloudflare.com/ips/
#https://support.cloudflare.com/hc/en-us/articles/204899617
# BEGIN Cloudflare Firewall Bypass Prevention
#Apache 2.4 Server
<FilesMatch ".*">
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
# Allow from INSERT YOUR IP HERE
</FilesMatch>
# END Cloudflare Firewall Bypass Prevention
全部免责声明:我有一个git repo,其中包含sucuri/cloudflare的预制库,用于Openlitespeed/litespeed/apache。https://gitlab.com/mikeramsey/apache-htaccess-rules/-/tree/master/
尝试:
RewriteCond %{HTTP:CF-RAY} ^$
RewriteRule ^ - [F,L]