elderlabs · November 25, 2024 23:34
diff --git a/Blocker-9000-Cloudflare-WAF-Rule.txt b/Blocker-9000-Cloudflare-WAF-Rule.txt
 # The ever-evolving Cloudflare WAF rule, so long as I remember to keep it up to date.
 # https://gist.github.com/elderlabs/2b0b39df36ecc7d9b08699255c0adc18

 # Ideally, this rule will block all automated/malicious traffic.
 # This works best in an environment that lacks WordPress, which is a cancer upon the internet.
 # WordPress has it's place, but it's not here. This may need editing to work for you, specifically where we limit HTTP methods.

 # This works by blocking a known list of bad/commercial IP spaces/ASNs, China, all IP spaces not allocated to a country,
 # anything Cloudflare has designated as a bot, any browser lacking a "Mozilla/5.0" user-agent, 
 # any HTTP request method that is not "GET", and any request looking for a WordPress file (starts with `/wp-` and ends with `.php`),
 # as well as any file/path beginning with a dot. While your webserver should be able to cover that last part, it's ideal that this
 # traffic never reach your origin. For extra spice, set your origin to close connections upon all 403/404s. Cloudflare
 # will then respond with a 502 error. In nginx, the response code to do this is `444`. Enjoy.

 # Obviously, we take no liability for damages if this breaks access to your web resources. A good rule of thumb is to create a "skip" 
 # rule above this one to whitelist access for very specific origins, such as your own. This works for me, but may not work for thee.

 # Feel free to edit this to fit your needs and use this anywhere for any reason. Should you share this with others, we ask that you 
 # link back to this, or to someone's copy that's kept up-to-date should I fail to do so -- or a copy that better fits your resources. 

 # -------------------------------------------------------------------------------------------------------------------------------------

 (ip.geoip.asnum in {174 714 997 1239 2639 3257 3329 4808 6206 6364 6461 6939 7162 7224 7506 7941 8075 8100 8342 8560 8595 8987 9009 9123 9294 9312 9341 10439 11831 12222 12714 12876 13238 13737 14061 14315 14618 14956 16276 16417 16509 16625 18345 18747 19318 19437 19994 20278 20454 20473 20845 20857 21069 21409 21499 21859 22363 22612 23033 23470 23576 23650 24445 24940 24961 26347 26496 27176 27823 29066 29182 29289 29550 29802 30277 30633 30860 31476 31898 32164 32475 32934 33387 33494 33905 34164 34412 34665 35916 35994 36007 36183 36195 36321 36352 37611 37963 38283 38511 39122 39134 39351 39364 39931 40021 40065 40092 40355 40676 41436 41544 42624 42655 42708 42730 43754 44066 44559 44709 45090 45102 45753 45769 46549 46606 47583 47585 47692 47890 48090 48096 48314 48693 49217 49434 49453 49505 49581 49981 50053 50219 50580 50926 51167 51396 51430 51559 51852 52048 52393 52485 53667 53755 54548 54825 55081 55286 55293 56534 57230 57523 58087 58461 58909 59441 60068 60647 61173 61432 62082 62240 62563 62907 63023 63760 63949 64425 131090 131921 132203 132839 132883 133199 133380 133643 135097 135161 135377 135822 135905 135918 135967 136170 136557 136787 137409 137687 138131 138995 139070 139659 140389 140810 140817 141004 141201 141892 141995 142032 142036 142367 142594 146943 147181 147237 149107 149118 149440 150862 150887 151592 152194 152565 197540 197695 197715 197902 197922 198605 198610 198651 198953 199524 199785 200000 200107 200918 201415 201814 202306 202425 202448 203020 203446 203476 204548 203576 204601 204769 204800 205016 206092 206176 206216 206791 207713 208161 209366 209605 210403 210546 210558 210644 211138 211298 211381 211680 211871 212238 212860 213122 213230 213250 214940 215026 215208 215240 215476 215766 216167 216188 262672 263065 263511 394695 394711 394814 396073 396356 396982 397423 398101 398722 399244 399486 399629 399804 399979 400275 401109 401115 401116 401120}) or (ip.geoip.country in {"CN" "XX"}) or (cf.client.bot) or (not http.user_agent contains "Mozilla/5.0") or (http.request.method in {"POST" "PURGE" "PUT" "HEAD" "OPTIONS" "DELETE" "PATCH"}) or (http.request.uri contains "/wp-" and http.request.uri contains ".php") or (http.request.uri contains "/.")
	# The ever-evolving Cloudflare WAF rule, so long as I remember to keep it up to date.
	# https://gist.github.com/elderlabs/2b0b39df36ecc7d9b08699255c0adc18

	# Ideally, this rule will block all automated/malicious traffic.
	# This works best in an environment that lacks WordPress, which is a cancer upon the internet.
	# WordPress has it's place, but it's not here. This may need editing to work for you, specifically where we limit HTTP methods.

	# This works by blocking a known list of bad/commercial IP spaces/ASNs, China, all IP spaces not allocated to a country,
	# anything Cloudflare has designated as a bot, any browser lacking a "Mozilla/5.0" user-agent,
	# any HTTP request method that is not "GET", and any request looking for a WordPress file (starts with `/wp-` and ends with `.php`),
	# as well as any file/path beginning with a dot. While your webserver should be able to cover that last part, it's ideal that this
	# traffic never reach your origin. For extra spice, set your origin to close connections upon all 403/404s. Cloudflare
	# will then respond with a 502 error. In nginx, the response code to do this is `444`. Enjoy.

	# Obviously, we take no liability for damages if this breaks access to your web resources. A good rule of thumb is to create a "skip"
	# rule above this one to whitelist access for very specific origins, such as your own. This works for me, but may not work for thee.

	# Feel free to edit this to fit your needs and use this anywhere for any reason. Should you share this with others, we ask that you
	# link back to this, or to someone's copy that's kept up-to-date should I fail to do so -- or a copy that better fits your resources.

	# -------------------------------------------------------------------------------------------------------------------------------------

	(ip.geoip.asnum in {174 714 997 1239 2639 3257 3329 4808 6206 6364 6461 6939 7162 7224 7506 7941 8075 8100 8342 8560 8595 8987 9009 9123 9294 9312 9341 10439 11831 12222 12714 12876 13238 13737 14061 14315 14618 14956 16276 16417 16509 16625 18345 18747 19318 19437 19994 20278 20454 20473 20845 20857 21069 21409 21499 21859 22363 22612 23033 23470 23576 23650 24445 24940 24961 26347 26496 27176 27823 29066 29182 29289 29550 29802 30277 30633 30860 31476 31898 32164 32475 32934 33387 33494 33905 34164 34412 34665 35916 35994 36007 36183 36195 36321 36352 37611 37963 38283 38511 39122 39134 39351 39364 39931 40021 40065 40092 40355 40676 41436 41544 42624 42655 42708 42730 43754 44066 44559 44709 45090 45102 45753 45769 46549 46606 47583 47585 47692 47890 48090 48096 48314 48693 49217 49434 49453 49505 49581 49981 50053 50219 50580 50926 51167 51396 51430 51559 51852 52048 52393 52485 53667 53755 54548 54825 55081 55286 55293 56534 57230 57523 58087 58461 58909 59441 60068 60647 61173 61432 62082 62240 62563 62907 63023 63760 63949 64425 131090 131921 132203 132839 132883 133199 133380 133643 135097 135161 135377 135822 135905 135918 135967 136170 136557 136787 137409 137687 138131 138995 139070 139659 140389 140810 140817 141004 141201 141892 141995 142032 142036 142367 142594 146943 147181 147237 149107 149118 149440 150862 150887 151592 152194 152565 197540 197695 197715 197902 197922 198605 198610 198651 198953 199524 199785 200000 200107 200918 201415 201814 202306 202425 202448 203020 203446 203476 204548 203576 204601 204769 204800 205016 206092 206176 206216 206791 207713 208161 209366 209605 210403 210546 210558 210644 211138 211298 211381 211680 211871 212238 212860 213122 213230 213250 214940 215026 215208 215240 215476 215766 216167 216188 262672 263065 263511 394695 394711 394814 396073 396356 396982 397423 398101 398722 399244 399486 399629 399804 399979 400275 401109 401115 401116 401120}) or (ip.geoip.country in {"CN" "XX"}) or (cf.client.bot) or (not http.user_agent contains "Mozilla/5.0") or (http.request.method in {"POST" "PURGE" "PUT" "HEAD" "OPTIONS" "DELETE" "PATCH"}) or (http.request.uri contains "/wp-" and http.request.uri contains ".php") or (http.request.uri contains "/.")