CloudFlare防火牆抗DDos配置

Others 2018-11-29 09:21:43 2018-11-29 09:21:43 2714 次浏览

CloudFlare對於DDos攔截功能可以有效減緩網站受到的攻擊,
透過5秒鐘的JavaScript Challenge檢查攔截不正常的訪問,
但是攻擊大多來自國外,
國內也使用JavaScript Challenge攔截其實不太合理,
可能會影響不少訪客的瀏覽體驗,
以前CloudFlare的IP防火牆在企業版以上的方案可以設定國家為白名單,
現在CloudFlare已經提供所有方案的用戶都能使用這項功能,
直接將特定的國家配置白名單即可讓站點抗DDos同時不影響國內訪客的瀏覽體驗。

CloudFlare服務官網 https://www.cloudflare.com

clodflare

先登入CloudFlare控制面板,

開啟Firewall,配置安全等級為”I’m Under Attack!”

cloudflareddos1

在IP Firewall可以鍵入IP、IP範圍、Autonomous System Number (ASN)、國家代碼

這裡請輸入您家中使用的固定IP以及您所在的國家配置為”Whitelist”

而攻擊來源的國家除了可以用目前預設的JavaScript Challenge攔截,

也能配置”CAPTCHA”提高攔截的驗證難度,甚至也能直接”Block”禁止訪問,

即可透過CloudFlare有效攔截攻擊但不影響國內訪客瀏覽體驗。

cloudflareddos2

點選這裡查看IP Firewall的說明(截圖自CloudFlare功能註釋)

對於原始主機來說,重點就是要攔截CloudFlare以外的IP訪問,

CloudFlare的IP範圍 https://www.cloudflare.com/ips/

如果是Apache主機可以透過htaccess新增(以IPv4示範)

order deny,allow
deny from all
allow from 103.21.244.0/22
allow from 103.22.200.0/22
allow from 103.31.4.0/22
allow from 104.16.0.0/12
allow from 108.162.192.0/18
allow from 131.0.72.0/22
allow from 141.101.64.0/18
allow from 162.158.0.0/15
allow from 172.64.0.0/13
allow from 173.245.48.0/20
allow from 188.114.96.0/20
allow from 190.93.240.0/20
allow from 197.234.240.0/22
allow from 198.41.128.0/17
allow from 199.27.128.0/21

如果是Nginx主機

Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address.
location / {
# allow CloudFlare
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 104.16.0.0/12;
allow 108.162.192.0/18;
allow 131.0.72.0/22;
allow 141.101.64.0/18;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 173.245.48.0/20;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 199.27.128.0/21;
# drop rest of the world
deny all;
}

如果是VPS請在iptables鍵入

#CloudFlare proxies access restriction 
#Allow HTTP(port 80) from CloudFlare
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 199.27.128.0/21 -p tcp --dport http -j ACCEPT
#Block HTTP from other sources
iptables -A INPUT -p tcp --dport http -j DROP
#Allow HTTPS(port 443) from CloudFlare
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 199.27.128.0/21 -p tcp --dport http -j ACCEPT
#Block HTTPS from other sources
iptables -A INPUT -p tcp --dport https -j DROP

以上配置可以降低原始主機IP直接被DDos的情形