Firewall rule to block large list of proxies IP's

firewall
#1

I need a firewall rule to block the list of all free online proxies IP’s worldwide, example list from here:

https://www.proxy-list.download/HTTPS

Can cloudflare add such a feature builtin to block all free online proxies world wide because this list is dynamically updated every second.

#2

Cloudflare’s IP reputation feature effectively already covers this. Since there are so many (usually 500+) different sessions connections to Cloudflare from one proxy IP, that proxy’s reputation score will drastically be lowered and a firewall set to High or Medium will likely catch it.

If you want something like this now, you could set up a CF workers script which pulls from that API and does the check itself. Just be careful with this, I wouldn’t be surprised if that proxy list blacklists the Cloudflare IP for too many requests.

#3

Here’s a worker I whipped up:

https://cloudflareworkers.com/#b2b10a7cc1ca2d4786981a2883f7377f:https://tutorial.cloudflareworkers.com

#4

Thanks for the code. But this will not be practical to run all this code in every request. This code needs to be run server side so a cron job update the proxy list may be from different websites and updates the firewall rule for that and we can just have the option to turn it on/off.

#5

Firewall rules have a maximum size of 4kb, so this won’t work:

// using memorySizeOf to calculate the actual amount of memory it's taking up https://gist.github.com/zensh/4975495

  console.log(this.ips.length)
  console.log(memorySizeOf(this.ips))

> 6972
> 181.314 KiB

The IP Firewall also wouldn’t work since even Business plan customers only get 2,000 rules:


Note that the only downside of workers here is the monetary :moneybag: cost to you; this will, at most, add 5 milliseconds to the response time, and that’s only when the list of proxy IPs is still in memory. Depending on the traffic website, it may be 30+ minutes before it re-downloads the proxy list, and that’s still too fast for anyone to notice.