Understanding your Site Protection Options – Cloudflare Support

Learn about the tools Cloudflare offers to protect your domains, URLs, and directories.

Overview
Cloudflare Access
IP Access Rules
Security Level
Zone (URL) Lockdown
Forwarding URL
User-Agent Blocking Rules
Rate Limiting
Custom WAF Rule
Token Authentication
Related Resources

Overview

Cloudflare offers a number of tools for protecting your site against specified volumes of traffic, certain groups of requesters, and specific requesting IPs. There is a specific order in which security tools trigger:

IP Access Rules
Firewall Rules
Zone Lockdown
User Agent Blocking
WAF

Below is a list of security features with details on how to set them up.

Cloudflare Access

Cloudflare Access adds an authentication page in front of an application you don’t want to be publicly accessible. It is a perimeter-less access control solution for cloud and on-premise applications.

Read more about Getting Started with Cloudflare Access.

IP Access Rules

IP Access Rules allow you to control access for specific IP addresses, IP ranges, countries, ASNs, and certain CIDR blocks. This is best used when you want to control traffic for these specific elements. Available actions to affect incoming requests are Whitelist, Block, Challenge (Captcha), or JavaScript Challenge (IUAM challenge).

For example, if you are already restoring visitor IPs using the mod_cloudflare plugin and you notice that a particular IP is causing malicious requests; you can block that user via IP address.

Security Level

The Security Level setting allows you to control your site’s tolerance to potentially malicious IPs by responding to requesting IPs having certain IP-reputation levels with Captcha challenges. You select a Challenge Passage, which controls how long a user that has passed the Captcha challenge may continue freely browsing your site before being challenged again.

For example, if you are a new website owner who would like to prevent bot IPs from attacking your site, you might set a Medium or High Security level and lower Challenge Passage 5 to 30 minutes to ensure that Cloudflare is constantly protecting your site.

If you are an experienced website administrator and proxy implementer who is confident in their security settings, you might set an Essentially Off or Low Security level and higher Challenge Passage for a week, month, or even year, to provide a less obtrusive experience for your users.

Zone (URL) Lockdown

Zone (URL) Lockdown allows you to specify a list of one or more IP addresses or networks that are the only IPs allowed to access a domain, subdomain, or URL. This does not whitelist IPs, it defines what is allowed, and rejects everything else. Zone Lockdown supports:

Specific sub-domains, allowing you to, for example, allow IP 1.2.3.4 to access domain foo.example.com and allow IP 5.6.7.8 to access domain bar.example.com, but not necessarily allow the vice versa.
Specific URLs, enabling you to, for example, allow IP 1.2.3.4 to access the directory example.com/foo/* and allow IP 5.6.7.8 to access the directory example.com/bar/*, but not allow the opposite.

This is useful when you need more granularity in your access rules since with the IP Firewall, you can only either apply the block to all sub-domains of the current domain or all domains on your account, and you can not specify URIs.

Forwarding URL

Forwarding URL allows you to prevent access to (1) URLs, (2) a certain request scheme (HTTP or HTTPS), (3) file type, (4) sub-domain, or (5) directory, by redirecting users away from these this content to some "safe" location.

Example uses for each of these would be:

User-Agent Blocking Rules

User-Agent Blocking allows you to action any preferred User-Agent string. This works similarly to Zone (URL) Lockdown as described above except this block examines the incoming User-Agent string rather than the IP. You can also choose how to handle a matching request with the same list of actions as you have in the IP Firewall (Block, JS Challenge, Captcha Challenge, and Whitelist). Note that User-Agent blocking applies to your entire zone, so you cannot specify sub-domains as you can with Zone Lockdowns.

This tool is useful for blocking any User-Agent strings that you deem suspicious and works great in conjunction with the Browser Integrity Check feature.

Rate Limiting

Rate Limiting allows you to control volumes of traffic for your entire site, specific URL, and any directory, for a given interval of time.

When Protect My Login, a pre-configuration of Rate Limiting is enabled, it will mitigate brute force login attacks. This is useful because login pages tend to not be cacheable and vulnerable as DDOS attack vectors.

For example, if there are many uncacheable resources in your /foo/bar/ directory and want to also mitigate DDOS attacks to your origin server, enabling Rate Limiting could ensure that no one can exceed traffic rates of 1000 requests per minute to that directory and that any violating IP gets blocked.

Custom WAF Rule

You can request a Custom WAF rule to be created for any traffic logic that you are unable to implement at the edge using the tools in your Cloudflare account by default, such as all of the above.

This is recommended in order to base traffic logic on:

Virtually any HTTP header in the request.
IP ranges.
Hostname
Regex
Validation of byte ranges to prevent binary data from being transferred through the URI for, example.
Checking for empty strings anywhere in request.
Integer comparisons (greater than, less than, greater than/equal to, less than/equal to, and equal to).

Token Authentication

Token Authentication allows you to restrict access to documents, files, and media to selected users without requiring registration. This can be used to protect paid/restricted content from leeching and non-authorized sharing. Token Authentication can be easily implemented using the Cloudflare Web Application Firewall (WAF) and requires a Business level subscription or higher.

Read more about How to setup Token Authentication.

Related Resources