出于安全原因,我想在.htaccess中限制所有不是通过Cloudflare来的流量。我已经有脚本可以阻止所有非Cloudflare IP,但是在某些主机上它根本无法工作。我想检查请求标头是否包含标头CF-RAY,而不管其值如何,如果没有,则返回403错误。 谢谢您的任何建议!
答案 0 :(得分:1)
尝试:
RewriteCond %{HTTP:CF-RAY} ^$
RewriteRule ^ - [F,L]
答案 1 :(得分:1)
是的,将其放在.htaccess文件顶部非常容易做到
#apache_2.4_cloudflare_bypass_protection_htaccess
#Place in top of .htaccess in document root that needs protected
#
## References
#https://docs.sucuri.net/website-firewall/configuration/prevent-sucuri-firewall-bypass/
#https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-firewall-for-testing/
#https://community.cloudflare.com/t/prevent-users-bypassing-cloudflare-to-access-my-site/4606
#https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
#https://www.cloudflare.com/ips/
#https://support.cloudflare.com/hc/en-us/articles/204899617
# BEGIN Cloudflare Firewall Bypass Prevention
#Apache 2.4 Server
<FilesMatch ".*">
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
# Allow from INSERT YOUR IP HERE
</FilesMatch>
# END Cloudflare Firewall Bypass Prevention
完全免责声明:我有一个git repo,其中充满了用于Openlitespeed / Litespeed / Apache的Sucuri / Cloudflare预制的仓库。 https://gitlab.com/mikeramsey/apache-htaccess-rules/-/tree/master/
答案 2 :(得分:0)
如果出于安全原因,使用标头是危险的。毫不费力地从另一个来源向您发送此标头。
最好通过IP限制CloudFlare的请求 https://www.cloudflare.com/ips/
如果是Apache,则可以在.htaccess中添加类似的内容
deny from all
allow from ... (one row for every range in above url)