Cloudflare WAF 心得

最近看一篇文章,作者說明他們因為 GCS 一直被reqeust 而導致的大量費用,就先讓我想到我的 GCP LB 一直都未有很好的保護措施,我開始意識這一個風險。為了避免這種情況,因此今天我來分享一下我的使用經驗。

1. Web Application Firewall (WAF) 的功能 首先要提到的是 Cloudflare 提供的 WAF 功能。即便是免費版,也能夠設定最多 5 個自訂規則,這對於小型網站或服務來說已經相當充足。最吸引我的是 WAF 內建的「威脅分數」功能,可以根據訪客 IP 的信譽來評估潛在風險,將威脅分數從 0(低風險)到 100(高風險)進行分類,這樣可以有效阻擋危險的 IP 地址。

根據 Cloudflare 的官方文檔,我們可以根據威脅分數設置防護規則,有效篩選和過濾那些潛在的攻擊流量。這不僅能提高 GCS 的安全性,也能減少由於來自危險 IP 的無效請求所帶來的費用。

2. 自訂規則和應用場景 Cloudflare 也提供了許多常見的應用場景,您可以根據自己的需求設定對應的防護規則。我選擇了幾個我認為至關重要的規則來加強保護,包括阻擋來自高風險 IP 的請求,以及限制某些特定端點的請求頻率(例如API端點)。這樣可以在免費版本中充分發揮 Cloudflare 的優勢,避免額外的費用產生。

Recently, I read an article where the author explained how their GCS incurred significant costs due to excessive requests. This made me realize that my GCP Load Balancer didn’t have sufficient protection measures, and I started to recognize this as a potential risk. To prevent such a situation, I’d like to share my experience using Cloudflare.

1. Web Application Firewall (WAF) Functionality

First and foremost, I want to highlight Cloudflare’s Web Application Firewall (WAF). Even with the free version, you can configure up to 5 custom rules, which is already quite sufficient for small websites or services. What caught my attention is the built-in “threat score” feature in WAF, which evaluates the potential risk based on the reputation of a visitor's IP. The threat score ranges from 0 (low risk) to 100 (high risk), which allows you to effectively block dangerous IP addresses.

According to Cloudflare’s official documentation, you can set up protection rules based on the threat score, efficiently filtering and blocking potential attack traffic. This not only improves the security of GCS but also helps reduce the costs incurred from invalid requests originating from high-risk IPs.

2. Custom Rules and Use Cases

Cloudflare also offers many common use cases, allowing you to set up protection rules according to your needs. I selected a few important rules to enhance protection, including blocking requests from high-risk IPs and limiting the request frequency to specific endpoints (e.g., API endpoints). This allows me to take full advantage of Cloudflare’s features in the free version while avoiding additional costs.

Block requests by Threat Score | Cloudflare Web Application Firewall (WAF) docs
The threat score is a score from 0 (zero risk) to 100 (high risk) classifying the IP reputation of a visitor.

Read more