cloudflare防火墙waf的设置

WAF

防火墙一

(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/2" "HTTP/3" "HTTP/1.1"}) or (ip.geoip.country in {"FR" "DE"}) or (http.request.uri.path wildcard r"/admin.php/*")

解释如下：

如果满足以下任一条件，则触发规则：

Cloudflare 威胁评分大于或等于 5，且客户端不是机器人

使用的 HTTP 协议版本不是 HTTP/2、HTTP/3 或 HTTP/1.1

请求来自法国或德国,即对法国和德国实施防御

请求的 URI 路径以 “/admin.php/” 开头

防火墙二

(http.request.uri.query contains ")/*") or 
(http.request.uri.query contains ")--") or 
(http.request.uri.query contains "benchmark(") or 
(http.request.uri.query contains "'0:0:20'") or 
(http.request.uri.query contains "MD5(") or 
(http.request.uri.query contains "%20waitfor%20delay%20") or 
(http.request.uri.query contains "%22") or 
(http.request.uri.query contains "%20/*") or 
(http.request.uri.query contains "%20--") or 
(http.request.uri.query contains "%20%23") or 
(http.request.uri.query contains ")%23") or 
(http.request.uri.query contains "script>") or 
(http.request.uri.query contains "%40") or 
(http.request.uri.query contains "%00") or 
(http.request.uri.query contains "<?php") or 
(http.request.uri.query contains "0x00") or 
(http.request.uri.query contains "0x08") or 
(http.request.uri.query contains "0x09") or 
(http.request.uri.query contains "0x0a") or 
(http.request.uri.query contains "0x0d") or 
(http.request.uri.query contains "0x1a") or 
(http.request.uri.query contains "0x22") or 
(http.request.uri.query contains "0x25") or 
(http.request.uri.query contains "0x27") or 
(http.request.uri.query contains "0x5c") or 
(http.request.uri.query contains "0x5f") or 
(http.request.uri.query contains "SELECT") or 
(http.request.uri.query contains "concat") or 
(http.request.uri.query contains "union") or 
(http.request.uri.query contains "0x50") or 
(http.request.uri.query contains "DROP") or 
(http.request.uri.query contains "WHERE") or 
(http.request.uri.query contains "ONION") or 
(http.request.uri.query contains "0x3c62723e3c62723e3c62723e") or 
(http.request.uri.query contains "0x3c696d67207372633d22") or 
(http.request.uri.query contains "OR") or 
(http.request.uri.query contains "0x3e") or 
(http.request.uri.query contains "<img") or 
(http.request.uri.query contains "<image") or 
(http.request.uri.query contains "document.cookie") or 
(http.request.uri.query contains "onerror()") or 
(http.request.uri.query contains "alert(") or 
(http.request.uri.query contains "window.") or 
(http.request.uri.query contains "String.fromCharCode(") or 
(http.request.uri.query contains "javascript:") or 
(http.request.uri.query contains "onmouseover=") or 
(http.request.uri.query contains "<BODY onload") or 
(http.request.uri.query contains "<style") or 
(http.request.uri.query contains "svg onload") or 
(http.request.uri.query contains "substring(") or 
(http.request.uri.query contains "length(") or 
(http.request.uri.query contains "version(") or 
(http.request.uri.query contains "database(") or 
(http.request.uri.query contains "user(") or 
(http.request.uri.query contains "AND 1=1") or 
(http.request.uri.query contains "AND 1=2") or 
(http.request.uri.query contains "OR 1=1") or 
(http.request.uri.query contains "OR 1=2") or 
(http.request.uri.query contains "%27OR1=1--") or 
(http.request.uri.query contains "UNION ALL SELECT") or 
(http.request.uri.query contains "/etc/passwd") or 
(http.request.uri.query contains "../../") or 
(http.request.uri.query contains "/proc/self/environ") or 
(http.request.uri.query contains "file=") or 
(http.request.uri.query contains "page=") or 
(http.request.uri.query contains "http://") or 
(http.request.uri.query contains "ftp://") or 
(http.request.uri.query contains "data://") or 
(http.request.uri.query contains "|cat") or 
(http.request.uri.query contains "&&") or 
(http.request.uri.query contains "||") or 
(http.request.uri.query contains "`") or 
(http.request.uri.query contains "$(") or 
(http.request.uri.query contains "ping") or 
(http.request.uri.query contains "curl") or 
(http.request.uri.query contains "wget") or 
(http.request.uri.query contains "%0d%0a") or 
(http.request.uri.query contains "%0a") or 
(http.request.uri.query contains "%0d") or 
(http.request.uri.query contains "phpinfo()") or 
(http.request.uri.query contains "hostname") or 
(http.request.uri.query contains "whoami") or 
(http.request.uri.query contains "uname -a") or 
(http.request.uri.query contains "pwd") or 
(http.request.uri.query contains "netstat")