This repository provides a complete step-by-step guide to setting up and configuring Cloudflare Web Application Firewall (WAF). It helps protect websites against malicious attacks, bot traffic, and unauthorized access. This guide includes the process of creating custom rules, understanding firewall settings, and applying CAPTCHA verification to enhance security and performance.
- π Login to Cloudflare: Go to Cloudflare Dashboard and log in.
- π Select Your Website: Click on the website you want to protect.
- π‘οΈ Navigate to WAF: In the left sidebar, go to Security > WAF (Web Application Firewall).
- βοΈ Go to Custom Rules: Click on the Custom Rules tab.
- Click on β Create Rule.
- Enter a π Rule Name (e.g.,
CAPTCHA SKIPfor bots). - Choose a π Field (e.g.,
User Agentto detect bots). - Select an βοΈ Operator (e.g.,
containsto match specific bots). - Enter a π₯ Value (e.g.,
Googlebotfor Google Search bot). - Choose an π Action (e.g.,
Skipfor trusted bots,Blockfor countries, orManaged Challengefor CAPTCHA). - Set the π Placement Order (first, after another rule, etc.).
- Click πΎ Save and ensure the rule is β Enabled.
Below are three essential WAF rules, explained in three formats: Table Format, Copyable Code Format, and Detailed Explanation.
| π Field | βοΈ Operator | π₯ Value |
|---|---|---|
| User Agent | contains | facebookexternalhit |
| OR | contains | TwitterBot |
| OR | contains | LinkedInBot |
| OR | contains | Googlebot |
| OR | contains | Bingbot |
| π Action | Skip | |
| π Placement | First |
Rule Name: CAPTCHA SKIP
Field: User Agent
Operator: contains
Value: facebookexternalhit
OR
Field: User Agent
Operator: contains
Value: TwitterBot
OR
Field: User Agent
Operator: contains
Value: LinkedInBot
OR
Field: User Agent
Operator: contains
Value: Googlebot
OR
Field: User Agent
Operator: contains
Value: Bingbot
Action: Skip
Placement: First
- π― Purpose: This rule allows legitimate search engine bots to access your website without being blocked by CAPTCHA.
- π Field:
User Agentchecks if the visitor is a bot. - βοΈ Operator:
containsapplies if the botβs name appears. - π₯ Values: Recognized search bots like
Googlebot,Bingbot, etc. - π Action:
Skipallows these bots to bypass security checks. - π Placement: This rule should be first in order.
| π Field | βοΈ Operator | π₯ Value |
|---|---|---|
| Country | equals | United Kingdom |
| OR | equals | United States |
| π Action | Block | |
| π Placement | After CAPTCHA SKIP |
Rule Name: COUNTRY BLOCK
Field: Country
Operator: equals
Value: United Kingdom
OR
Field: Country
Operator: equals
Value: United States
Action: Block
Placement: After CAPTCHA SKIP
- π― Purpose: Blocks traffic from selected countries to prevent fraud or unwanted access.
- π Field:
Countrychecks the visitorβs location. - βοΈ Operator:
equalsapplies only to the listed countries. - π₯ Values:
United Kingdom,United States(can add more if needed). - π Action:
Blockdenies access to these users. - π Placement: Should be after the CAPTCHA SKIP rule.
| π Field | βοΈ Operator | π₯ Value |
|---|---|---|
| Hostname | wildcard | mail.kamrul.us |
| OR | wildcard | kamrul.us/SOFT |
| OR | wildcard | kamrul.us |
| π Action | Managed Challenge | |
| π Placement | After COUNTRY BLOCK |
Rule Name: CAPTCHA ON
Field: Hostname
Operator: wildcard
Value: mail.kamrul.us
OR
Field: Hostname
Operator: wildcard
Value: kamrul.us/SOFT
OR
Field: Hostname
Operator: wildcard
Value: kamrul.us
Action: Managed Challenge
Placement: After COUNTRY BLOCK
- π― Purpose: Protects sensitive pages by forcing visitors to pass a CAPTCHA challenge.
- π Field:
Hostnameapplies the rule to specific site sections. - βοΈ Operator:
wildcardmatches similar URLs. - π Action:
Managed Challengepresents CAPTCHA verification. - π Placement: Runs after COUNTRY BLOCK rule.
- π οΈ Test the site from different locations (use VPN for testing country blocks).
- π Use browser developer tools (F12 > Network > Inspect HTTP headers).
- π Check Cloudflare Security Logs (Security > WAF > Logs).
This guide is open-source under the MIT License. For further support, contact kamrul.us Admin or visit Cloudflare Support.
