Block scanners from hitting the app and messing with the metrics

cloudflare_waf.rb

#!/usr/bin/env ruby
# frozen_string_literal: true

require "http"
require "json"

ZONE_ID     = ENV.fetch("CF_ZONE_ID")
ZONE_TOKEN  = ENV.fetch("CF_ZONE_TOKEN")
PHASE       = "http_request_firewall_custom"
DESCRIPTION = "Block application scanners"
BASE        = "https://api.cloudflare.com/client/v4/zones/#{ZONE_ID}/rulesets"
CF          = HTTP.auth("Bearer #{ZONE_TOKEN}")

PATH_WILDCARDS = %w[
  .env
  .git
  /wp-*
  *.php*
  *phpmyadmin*
  *phpMyAdmin*
  *adminer*
  *manager/html*
  *jmx-console*
  *jenkins*
  *weblogic*
  *solr*
  .svn
  .hg
  .bzr
  .DS_Store
  *server-status*
  *server-info*
  *cgi-bin*
  */info.php*
  */test.php*
  *drupal*
  *joomla*
  *magento*
  *phpbb*
  *typo3*
  *wp-login*
  *xmlrpc*
  *sitemap.xml*
]

def join_terms(field, op, values)
  terms = values.map { |v| "#{field} #{op} \"#{v.gsub('"', '\\"')}\"" }
  "(#{terms.join(" or ")})"
end

response   = CF.get("#{BASE}/phases/#{PHASE}/entrypoint")
entrypoint = response.status == 404 ? nil : JSON.parse(response.body.to_s)["result"]
rule_body  = { action: "block", description: DESCRIPTION, enabled: true, expression: join_terms("http.request.uri.path", "wildcard", PATH_WILDCARDS) }

if entrypoint.nil?
  CF.post(BASE, json: { name: DESCRIPTION, kind: "zone", phase: PHASE, rules: [rule_body] })
  puts "Ruleset created with rule."
else
  ruleset_id = entrypoint["id"]
  existing   = entrypoint["rules"]&.find { |r| r["description"] == DESCRIPTION }

  if existing
    rule_id = existing["id"]
    CF.patch("#{BASE}/#{ruleset_id}/rules/#{rule_id}", json: rule_body.merge(id: rule_id, ref: rule_id))
    puts "Rule updated."
  else
    CF.post("#{BASE}/#{ruleset_id}/rules", json: rule_body)
    puts "Rule created."
  end
end