Issues with security rule challange

Application Security SSL / TLS
,
1

What is the name of the domain?

elvistech.ng

What is the error number?

site loads fast but security rules takes a lot of time

What is the error message?

security is very slow

What is the issue you’re encountering

site loads fast but security rules takes a lot of time, how to setup properly

What steps have you taken to resolve the issue?

Hello, I am on a Pro plan. My site loads fast, but security rules take a lot of time. I suspect that the security rules I set up may be causing the issue.

Here are the security rules I’ve set up. I have 3 custom rules and 1 site rate limiting.

Custom Rules:
1.)
Allow trusted crawlers
(cf.verified_bot_category eq “Search Engine Crawler”) or (cf.client.bot) or (http.user_agent contains “(compatible; Google-InspectionTool/1.0)”) or (http.user_agent contains “(compatible; Google-InspectionTool/1.0;)”) or (http.user_agent contains “(compatible; Google-InspectionTool/1.0;)”) or (http.user_agent contains “(compatible; Googlebot/2.1; +http://www.google.com/bot.html)”) or (http.user_agent contains “Googlebot-Image/1.0”) or (http.user_agent contains “Chrome-Lighthouse”)

Then take action…
Skip.

2.)
Don’t challenge a specific country, but it does, I don’t know why, but it does, here it is

(http.request.uri.path wildcard r"/*" and not cf.verified_bot_category in {“Search Engine Crawler”}) or (cf.client.bot and not ip.src.country in {“NG”})

Then take action…
JS Challange

3.)
Block ips and useragents

(ip.src in $badips and ip.src eq 2001:ee0:4f52:8c00:a59c:d7ab:f89d:e5d7) or (ip.src eq 2a00:1fa0:440f:7370:0:52:3cd:3301 and http.user_agent contains “seznambot”)

Then take action…
block.

Limiting Rule

(http.request.uri.path wildcard “*”)

When rate exceeds…
200 in 10 sec

Then take action…
JS Challange.

These are the current settings on my site and its doing its job well, saving me from DDoS attack, but… what I intended to set up is…

Allow trusted crawlers, do not challenge users from my country, except if the browser is suspicious, then rate limit requests.

My current settings challenge both users from my country, and this has reduced click-through to my site. Please… help

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

i already stated that on the page

2

How exactly are you getting to the conclusion that the security rules are taking a lot of time?

cf.client.bot” will return true, if the client is a Verified bot.

cf.verified_bot_category” will return the category, if the client is a Verified bot, that has the specified category.

Both of them would return true, if the category is “Search Engine Crawler”, so you could eventually drop “cf.client.bot” here.

Both the classic Googlebot and the Google Inspection Tool should be a part of the Verified bot program, and as such, you can kill them from the “User-Agent” matching in your WAF.

Your ordering of the rule(s), as well as the use of AND vs OR will play a huge role here.

Something in this rule may be in conflict with your previous rule (#1) though.

Can you clarify:

  1. Will you only allow bots from Nigeria, and challenge all bots (including Google), when they’re originating from outside Nigeria (NG)?

  2. Will you allow “trusted bots” to pass through, even if they originate from outside of Nigeria (NG)?

If you already have determined that the IP address is a “bad IP address” (e.g. listed in $badips), then I see no reasons for the first comparison to the IPv6 address starting with 2001.

For the latter part of this rule:

  1. Do you consider "seznambot to be a bad bot, only when it’s originating from this Russian IPv6 address?

  2. Will you allow “seznambot” in, if it doesn’t originate from this IPv6 address?

What exactly is your intention, … with the latter part of this rule?

The limiting rule here doesn’t seem to exclude Nigeria (NG) in any way.

If you intend to exclude Nigeria (NG), I suppose you need something like:

(not ip.src.country in {"NG"} and http.request.uri.path wildcard "*")

To my understanding though, - “ip.src.country” isn’t available in the latter Rate limiting rule, unless you’re on Enterprise.

Should any of your Cloudflare rules ever touch traffic, when it originates from Nigeria (NG)?

Let’s take this example:

  • You decide the two (example) IP addresses “2001:db8::234” and “192.0.2.234”, that seems to be from Nigeria (NG), are bad IP addresses.

  • You add “2001:db8::234” and “192.0.2.234” to the IP list on Cloudflare, that is named “$badips”.

Your addition to the list would somehow imply it, …

… But do you now want Cloudflare to block traffic from 2001:db8::234 and 192.0.2.234?

Or should Nigeria (NG) always be exempted from everything?

3

Thank you for replying; I really appreciate your assistance and pointing out some things.

The thing is, I don’t even know what i was even setting up, i just kept trying different settings until I ended with this.

My goal is to allow all trusted, verified bots and crawlers, including those from outside my country, to have full access to my site.

Then I want to challenge all users not from Nigeria and unknown bots, while excluding users from my country, except for those who exhibit suspicious activity.

Also, rate limit, that’s all I want, can you guide me by writing the expression, I can build it

4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.