Use CloudFlare Business to ignore CC attacks.

Requirements#

Cloudflare Business plan ($200 or higher), PRO version can refer to this article: https://moeyy.cn/posts/d4fb87f4694a.html

Your website must use HTTPS.

Getting Started (Operations on CloudFlare).#

Super Bot Fight Mode#

First, log in to the Cloudflare control panel, select Domains -> Firewall -> Super Bot Fight Mode, and click Configure Super Bot Fight Mode.
As shown in the figure, you can follow my image to set it up.

Managed Rules#

Then open Firewall -> Managed Rules, check all the options, set the sensitivity to High, and the action to Challenge.

Website and SSL Certificate Configuration#

Here is a rough overview of my rules.

It is recommended to set up an SSL certificate for your website and enable the HTTP/2 protocol:

And enable Force HTTPS, you can also restrict the Minimum TLS Version to 1.1 (currently the minimum for browsers is 1.2) as shown in the picture:

Page Rules#

You can refer to mine

Firewall Rules#

Block Rules:#

Tor is onion routing and can be blocked. Block threats with a score greater than or equal to 5. Normal visitors will not trigger the threat score, so don't worry about false positives.

Captcha Rules:#

The first part means to block HTTPS access with HTTP version 1, because normal visitors accessing HTTPS are using HTTP/2, only proxy CC will use HTTP/1, provided that your website has enabled HTTPS, this rule will not take effect if HTTPS is not enabled.

As for the user agent, it is to prevent some strange user agents.

If the threat score is greater than 1, a captcha will be automatically displayed. Normal browsers and clean IPs will not trigger it.

The last one is to prevent IP forgery.

In addition to setting rules, you also need to set some other things.

For example, HTTP DDOS, set all to the maximum:

At this point, the rules set on Cloudflare have been completed. Next is to set up the origin server.

Nginx Configuration#

We can set up a separate UA for the origin server and only allow that UA to access the origin server.

First, operate on Cloudflare:

Create an HTTP header modification, with the content User-Agent: XXX (XXX can be replaced with others):

For example, mine is moeyydad, you can replace it with something else, as long as others can't guess it.

Then add an if statement in the nginx configuration file:

if ($http_user_agent != "moeyydad"){
      return 444;
}

This code is added below the root.

Certificate Protection#

This can prevent the origin server certificate from being scanned. If the origin server uses SSL for origin pull, we need to upload a certificate, but we cannot use our own certificate, we can use a self-signed certificate. For example:

Certificate#

Private Key#

How to test that your source IP will not be leaked?

You can add your source IP and domain to the hosts file, then open the browser to access it. If you cannot access it, it means it is successful because of UA restrictions.

Next, check the certificate to ensure that it is not your domain's certificate. Also, check the default certificate by accessing https://ip/. If the certificate is not for your domain, then it is a success.

Other Configurations#

Blocking Regions#

If your visitors are only from China, you can set it to allow only China to access:

Rate Limiting#

You can set rate limiting based on your website's API or other factors.

Custom Host Origin#

This is similar to custom UA origin, currently some scanning programs work by adding a host header to access global IPs for testing and verification.

For example, I set a source domain as moeyydad.xyz for origin, and replace the origin domain moeyy.cn with moeyydad.xyz, so the source server cannot be found. Combined with custom UA origin, the source server is configured with CF's self-signed SSL certificate, and custom Host origin, attackers will not be able to find our source server.

CF's self-signed SSL certificate can be generated here:

After completing the above operations, your website is invincible.