This firewall rule should do for disabling search?
or if the attacker connects to the IP directly instead of domain, how do I disable it?
Especially wordpress is down.
Seems to work on my site. By the way you don’t have to block, there’s also a CAPTCHA option, so human users can still use your search.
As for blocking directly - you could:
- Set Nginx to serve content over HTTPS, by enabling TLS on your Nginx and disabling port 80. Since you don’t care about users connecting directly, you can get an Origin certificate from Cloudflare (under Crypto tab). Then, after you have that, Cloudflare will be able to communicate with your site over HTTPS (note that I don’t know if your site will become HTTPS through Cloudflare if origin pull is HTTPS, but even if it does, that it’s a bad thing IMHO…).
- Finally you can setup your Nginx to only accept TLS connections from clients connecting with Cloudflare’s client certificate (“Authenticated origin pulls”, likewise under Crypto tab). That way your server remains open, but all connections are terminated before the clients have the chance to even send the HTTP request - except of course - if it comes from Cloudflare.