[英]My Cloudflare firewall rule are blocking request from Github. I need bypass a custom URL
I have a Cloudflare Firewall Rule that Blocks ASN from different companies (Amazon, Microsoft etc) to prevent attacks from VPS.我有一个 Cloudflare 防火墙规则,可以阻止来自不同公司(亚马逊、微软等)的 ASN,以防止来自 VPS 的攻击。
(ip.geoip.asnum eq 14618) or (ip.geoip.asnum eq 8075) or (ip.geoip.asnum eq 16276) or (ip.geoip.asnum eq 16509) or (ip.geoip.asnum eq 14061) or (ip.geoip.asnum eq 62567) or (ip.geoip.asnum eq 51167) or (ip.geoip.asnum eq 56617) or (ip.geoip.asnum eq 6188) or (ip.geoip.asnum eq 40819)
The problem is that when I run an Actions on my Github repository, Cloudflare is denying it access to my API URL (Due to the rule I already said, since Github uses Microsoft services). The problem is that when I run an Actions on my Github repository, Cloudflare is denying it access to my API URL (Due to the rule I already said, since Github uses Microsoft services). And I need to get a HTTP 200 code in response from my API URL, but since it is blocking the request, I only get a HTTP 403 code.
And I need to get a HTTP 200 code in response from my API URL, but since it is blocking the request, I only get a HTTP 403 code. (Which cloudflare shows as access denied, error 1020)
(其中 cloudflare 显示为拒绝访问,错误 1020)
I tried to create another Firewall rule to bypass specific URLs of my site, example: https://example.com?api=secretID我尝试创建另一个防火墙规则来绕过我网站的特定 URL,例如: https://example.com?api=secretID
(http.request.full_uri eq "https://example.com?api=secretID1" and http.request.full_uri eq "https://example.com?api=secretID2" and http.request.full_uri eq "https://example.com?api=secretID3" and http.request.full_uri eq "https://example.com?api=secretID4")
But it doesn't work and the requests are still blocked by the first rule, what can I do?但是它不起作用,并且请求仍然被第一条规则阻止,我该怎么办?
I don't want to disable the main rule because it puts my site at risk.我不想禁用主要规则,因为它会使我的网站处于危险之中。
As you can see I have more than 900 attacks per day.如您所见,我每天有超过 900 次攻击。
My github action makes 3 GET request per link.我的 github 操作为每个链接发出 3 个 GET 请求。 And I have 4 Links (1 main domain and other 3 subdomains registered as CNAME:
我有 4 个链接(1 个主域和其他 3 个注册为 CNAME 的子域:
https://example.com/en.php?datazo=secretID
https://sub1.example.com/en.php?datazo=secretID1
https://sub2.example.com/en.php?datazo=secretID2
https://sub3.example.com/en.php?datazo=secretID3
And this is the log from Cloudflare:这是来自 Cloudflare 的日志:
Inside log: (I used the https://example.com/en.php?datazo=secretID
example)内部日志:(我使用了
https://example.com/en.php?datazo=secretID
示例)
RULE "BYPASSING":规则“绕过”:
Your rule says你的规则说
(http.request.full_uri eq "https://example.com?api=secretID1" and http.request.full_uri eq "https://example.com?api=secretID2" and http.request.full_uri eq "https://example.com?api=secretID3" and http.request.full_uri eq "https://example.com?api=secretID4")
This would never be true as your URL can never be equal to more than 1 value at any given time.这永远不会是真的,因为您的 URL 在任何给定时间都不能等于超过 1 个值。 Maybe change the
and
to or
也许将
and
更改为or
or instead of eq
use contains
or even better http.request.uri.query eq
or http.request.uri.query contains
或者代替
eq
使用contains
甚至更好http.request.uri.query eq
或http.request.uri.query contains
After a few days and responses from cloudflare support, my solution was this: Change to "Allow" my "bypassing" rule, since requests that match my filter, will not trigger the rest of firewall rules.经过几天和 cloudflare 支持的响应后,我的解决方案是:更改为“允许”我的“绕过”规则,因为与我的过滤器匹配的请求不会触发防火墙规则的 rest。
The problem is that "Bypass" was limited exclusively to block what was seen in the screenshot.问题是“绕过”仅限于阻止屏幕截图中看到的内容。 But it allowed the rest of the rules (including the one blocking ASNs) to be executed.
但它允许执行规则的 rest(包括一个阻止 ASN)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.