Good Bots - Skip https://prnt.sc/LEEmoXJwkj1K https://prnt.sc/L2glm2Z1STkm
Other Bots - Managed Challenge https://prnt.sc/mfoqUbJqxOKD
Countries - Block
(not ip.geoip.country in {“AU” “IN” “IE” “NZ” “PH” “GB” “US” “CA”}) https://prnt.sc/zs7FAHbeEl8m
I changed my VPN to France and tried the URL … and it wasn’t blocked!
I thought that perhaps it was because the countries blocked was last so changed the order:
Good Bots
Other Bots
Countries
WP Login
Same problem!
I then tried IP Access Rules. However, in the docs (https://developers.cloudflare.com/waf/tools/ip-access-rules/#main), it says “Block by country is only available on the Enterprise plan. Other customers may perform country blocking using firewall rules.”
Any ideas on why blocking by country isn’t working?
Your “Good Bots” rule is not only allowing/skipping good bots, but about half the planet.
I’m not sure what is the intention of the second block of the rule. The first block sets as conditions both that it is a Known Bot, and that it comes from a set of ASNs, which shouldn’t be necessary, since the verification of a Known Bot already implies that the request comes from the ASN it belongs to.
Perhaps you are trying to limit KB to a smaller set? That could make sense.
The second block lists many IP addresses, some of them belonging to hosting companies, such as Hezne. If a VPN is based on one of these hosting companies, it would skip all further checked WAF rules. Now if you want to also use the list of IPs to limit the set of KBs, you must repeat the KB operator:
If
Known Bot ON
AND
ASN is in...
OR
Known Bot ON
AND
IP is in...
I’m sure others will have other opinions on that, but my view is that you should not allow Good Bots. Instead, you should only “not block” them when you create specific rules.
Most Cloudflare features, such as I’m Under Attack and Bot Fight Mode, already exempt Known Bots.
So you shouldn’t be worried about allowing them. Instead, you should keep in mind that when you create a rule to challenge or block requests, you may consider exempting Known Bots.
As for bad bots, if you are under current attack, meaning so many requests per second that they may cause your server to falter, you should enable Bot Fight Mode or Super Bot Fight Mode.
If not, you should focus on what you consider bad behavior, and craft rules to block it no matter whether the visitor is human or bot, good or bad.
In you specific case, your country-list rule could have “AND Known Bots OFF” to make sure good bots based on other countries could still reach your website.
And of course if you agree and remove the Good Bots rule, you should also disable the Oher Bots rule, as it would cast too broad a net and challenge pretty much everyone.
FYI, I exported the domains DNS Zone from cPanel and imported it into Cloudlfare.
I have 105 DNS records. I have no idea what should be proxied and what shouldn’t. So I left them all at DNS only.
Do you have some guidance? Or is there an easy to understand doc that explains this. Personally, I find the Cloudlfare docs I have read very confusing … and not designed for Cloudflare newbies like me!
DNS Only means, well, DNS only: no WAF, no cache, no nothing. The website isn’t proxied by Cloudflare, and all Cloudflare is doing is DNS resolution.
You need to decide, based on your own configuration and needs, whether you want Cloudflare to proxy your website. Some arrangements including third-party SaaS providers may require you to keep some DNS records as DNS Only, but for the rest of us Cloudflare only makes sense if we set the domains to Proxied .
That’s a whole bunch of records. Typically you’d proxy the A, AAAA, and CNAME records for your naked domain (example.com) and any subdomain (www, staging etc.) pointing to your origin server, while keeping other DNS records (TXT, MX etc.) as DNS Only.
When you proxy your domain, requests will first be sent to Cloudflare and from Cloudflare, if the request isn’t blocked by WAF or cached by Cloudflare, to your origin.
You may want to contact your hosting provider support team for guidance on what you can/should proxy through Cloudflare, if you’re not sure.
The following may help you with understanding how to proceed.
?