[ SKILL_DOCUMENTATION ]
# Cloudflare WAF 专家技能参考
**专业领域**:Cloudflare Web 应用防火墙 (WAF) 配置、自定义规则、托管规则集、速率限制、攻击检测及 API 集成
## 概述
Cloudflare WAF 通过托管规则集和自定义规则保护 Web 应用免受攻击。
**检测 (托管规则集)**
- 由 Cloudflare 维护的预配置规则
- 基于 CVE 的规则,覆盖 OWASP Top 10
- 三大主要规则集:Cloudflare Managed, OWASP CRS, Exposed Credentials
- 动作:log, block, challenge, js_challenge, managed_challenge
**缓解 (自定义规则与速率限制)**
- 使用 Wirefilter 语法的自定义表达式
- 基于攻击分数的拦截 (`cf.waf.score`)
- 基于 IP、用户或自定义特征的速率限制
- 动作:block, challenge, js_challenge, managed_challenge, log, skip
## 快速入门
### 部署 Cloudflare 托管规则集
typescript
import Cloudflare from 'cloudflare';
const client = new Cloudflare({ apiToken: process.env.CF_API_TOKEN });
// 将托管规则集部署到区域
await client.rulesets.create({
zone_id: 'zone_id',
kind: 'zone',
phase: 'http_request_firewall_managed',
name: 'Deploy Cloudflare Managed Ruleset',
rules: [{
action: 'execute',
action_parameters: {
id: 'efb7b8c949ac4650a09736fc376e9aee', // Cloudflare 托管规则集
},
expression: 'true',
enabled: true,
}],
});
### 创建自定义规则
typescript
// 拦截攻击分数 >= 40 的请求
await client.rulesets.create({
zone_id: 'zone_id',
kind: 'zone',
phase: 'http_request_firewall_custom',
name: 'Custom WAF Rules',
rules: [{
action: 'block',
expression: 'cf.waf.score gt 40',
description: 'Block high attack scores',
enabled: true,
}],
});
### 创建速率限制
typescript
await client.rulesets.create({
zone_id: 'zone_id',
kind: 'zone',
phase: 'http_ratelimit',
name: 'API Rate Limits',
rules: [{
action: 'block',
expression: 'http.request.uri.path eq "/api/login"',
action_parameters: {
ratelimit: {
characteristics: ['cf.colo.id', 'ip.src'],
period: 60,
requests_per_period: 10,
mitigation_timeout: 600,
},
},
enabled: true,
}],
});
## 托管规则集快速参考
| 规则集名称 | ID | 覆盖范围 |
|--------------|----|---------|
| Cloudflare Managed | `efb7b8c949ac4650a09736fc376e9aee` | OWASP Top 10, CVEs |
| OWASP Core Ruleset | `4814384a9e5d4991b9815dcfc25d` |
粤公网安备44030002003366号