[ PROMPT_NODE_24414 ]
Waf 配置说明
[ SKILL_DOCUMENTATION ]
# 配置
## 前置条件
**API Token**: 在 https://dash.cloudflare.com/profile/api-tokens 创建
- 权限: `Zone.WAF Edit` 或 `Zone.Firewall Services Edit`
- 区域资源: 包含特定区域或所有区域
**区域 ID (Zone ID)**: 在仪表板 > 概览 > API 部分(右侧边栏)中查找
bash
# 设置环境变量
export CF_API_TOKEN="your_api_token_here"
export ZONE_ID="your_zone_id_here"
## TypeScript SDK 使用
bash
npm install cloudflare
typescript
import Cloudflare from 'cloudflare';
const client = new Cloudflare({ apiToken: process.env.CF_API_TOKEN });
// 自定义规则
await client.rulesets.create({
zone_id: process.env.ZONE_ID,
kind: 'zone',
phase: 'http_request_firewall_custom',
name: 'Custom WAF',
rules: [
{ action: 'block', expression: 'cf.waf.score gt 50', enabled: true },
{ action: 'challenge', expression: 'http.request.uri.path eq "/admin"', enabled: true },
],
});
// 托管规则集
await client.rulesets.create({
zone_id: process.env.ZONE_ID,
phase: 'http_request_firewall_managed',
rules: [{
action: 'execute',
action_parameters: { id: 'efb7b8c949ac4650a09736fc376e9aee' },
expression: 'true',
}],
});
// 速率限制
await client.rulesets.create({
zone_id: process.env.ZONE_ID,
phase: 'http_ratelimit',
rules: [{
action: 'block',
expression: 'http.request.uri.path starts_with "/api"',
action_parameters: {
ratelimit: {
characteristics: ['cf.colo.id', 'ip.src'],
period: 60,
requests_per_period: 100,
mitigation_timeout: 600,
},
},
}],
});
## Terraform 配置
hcl
provider "cloudflare" {
api_token = var.cloudflare_api_token
}
resource "cloudflare_ruleset" "waf_custom" {
zone_id = var.zone_id
kind = "zone"
phase = "http_request_firewall_custom"
rules {
action = "block"
expression = "cf.waf.score gt 50"
}
}
**托管规则集与速率限制**:
hcl
resource "cloudflare_ruleset" "waf_managed" {
zone_id = var.zone_id
name = "Managed Ruleset"
kind = "zone"
phase = "http_request_firewall_managed"
rules {
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides {
rules {
id = "5de7edfa648c4d6891dc3e7f84534ffa"
action = "log"
}
}
}
expression = "true"
}
}
resource "cloudflare_ruleset" "rate_limiting" {
zone_id = var.zone_id
phase = "h
粤公网安备44030002003366号