kgess-mirror/cloudflare-docs
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflare-docs.git synced 2026-01-16 23:11:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 65

[WAF] Update Zone Lockdown page (#27204)

Browse source 
* Also updates custom rules use cases

---------

Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
This commit is contained in:
tobicf 2025-12-19 08:56:22 -06:00 committed by GitHub
parent 5c25b03b91
commit 9e60d2b388
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 76 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx
View file

@ -8,26 +8,37 @@ head:
import { Steps } from "~/components";
This example skips WAF rules for requests from IP addresses in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#ip-lists)).
This example blocks incoming requests from IP addresses that are not present in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#ip-lists)).
<Steps>
1. [Create an IP list](/waf/tools/lists/create-dashboard/) with the IP addresses for which you want to allow access.<br/>
For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#ip-lists).
2. [Create a custom rule](/waf/custom-rules/create-dashboard/) skipping all rules for any request from the IPs in the list you created (`allowed_ips` in the current example).
- **Expression**: `(ip.src in $allowed_ips)`
- **Action**: _Skip:_
- _All remaining custom rules_
- _Skip phases_:
- _All rate limiting rules_
- _All Super Bot Fight Mode rules_
- _All managed rules_
2. [Create a custom rule](/waf/custom-rules/create-dashboard/) blocking any requests from IPs not present in the list you created (`allowed_ips` in the current example).
- **When incoming requests match**:
| Field | Operator | Value |
| ----------------- | -------------- | ------------- |
| IP Source Address | is not in list | `allowed_ips` |
If you are using the Expression Editor:<br/>
`(not ip.src in $allowed_ips)`
- **Action**: _Block_
3. (Optional) Update your expression with any extra filters, like blocking non-allowlisted IPs only for specific URI paths:
| Field | Operator | Value | |
| ----------------- | -------------- | ------------- | --- |
| IP Source Address | is not in list | `allowed_ips` | And |
| URI Path | wildcard | `/admin/*` | |
If you are using the Expression Editor:<br/>
`(not ip.src in $allowed_ips and http.request.uri.path wildcard "/admin/*")`
</Steps>
Make sure the new rule appears before any other custom rules in the rules list.
## Other resources
- [Use case: Require known IP addresses in site admin area](/waf/custom-rules/use-cases/site-admin-only-known-ips/)

17
src/content/docs/waf/custom-rules/use-cases/site-admin-only-known-ips.mdx
View file

@ -3,15 +3,22 @@ pcx_content_type: configuration
title: Require known IP addresses in site admin area
---
If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your sites admin area by blocking requests for access to admin paths that do not come from a known IP address.
If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site's admin area by blocking requests for access to admin paths that do not come from a known IP address.
This example custom rule limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses:
This example [custom rule](/waf/custom-rules/create-dashboard/) limits access to the WordPress admin area, `/wp-admin/`, by blocking requests that do not originate from a specified set of IP addresses:
- **When incoming requests match**:
| Field | Operator | Value | |
| ----------------- | --------- | ------------------------------ | --- |
| IP Source Address | is not in | `10.20.30.40` `192.168.1.0/24` | And |
| URI Path | wildcard | `/wp-admin/*` | |
If you are using the Expression Editor:<br/>
`(not ip.src in {10.20.30.40 192.168.1.0/24} and http.request.uri.path wildcard "/wp-admin/*")`
- **Expression**: `(not ip.src in {10.20.30.40 192.168.1.0/24} and starts_with(lower(http.request.uri.path), "/wp-admin"))`
- **Action**: _Block_
To prevent attackers from successfully using a permutation of `/wp-admin/` such as `/wP-AdMiN/`, the expression uses the [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function to convert the URI path to lowercase.
## Other resources
- [Use case: Allow traffic from IP addresses in allowlist only](/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist/)

49
src/content/docs/waf/tools/zone-lockdown.mdx
View file

@ -21,13 +21,12 @@ All IP addresses not specified in the zone lockdown rule will not have access to
:::note
Cloudflare recommends that you create [custom rules](/waf/custom-rules/) instead of zone lockdown rules to block requests from IP addresses not present in an allowlist of IPs and CIDR ranges.
Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of zone lockdown rules to block requests from IP addresses not present in an allowlist of IPs and CIDR ranges.
For example, a custom rule equivalent to the zone lockdown [example rule](#example-rule) provided in this page could have the following configuration:
For examples of using custom rules for this purpose, refer to the following use cases:
- **Description**: `Block all traffic to staging and wiki unless it comes from HQ or branch offices`
- **Expression**: `((http.host eq "staging.example.com") or (http.host eq "example.com" and starts_with(http.request.uri.path, "/wiki/")) and not ip.src in {192.0.2.0/24 2001:DB8::/64 203.0.133.1}`
- **Action**: _Block_
- [Allow traffic from IP addresses in allowlist only](/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist/)
- [Require known IP addresses in site admin area](/waf/custom-rules/use-cases/site-admin-only-known-ips/)
:::
@ -66,16 +65,19 @@ The number of available zone lockdown rules depends on your Cloudflare plan.
</TabItem> <TabItem label="New dashboard" icon="rocket">
:::note
Zone Lockdown is only available in the new security dashboard if you have configured at least one zone lockdown rule. Cloudflare recommends that you use [custom rules](/waf/custom-rules/) instead of zone lockdown rules.
Zone Lockdown is only available in the [new security dashboard](/security/) if you have configured at least one zone lockdown rule.
:::
**If you have access to Zone Lockdown rules**
<Steps>
1. In the Cloudflare dashboard, go to the **Security rules** page.
<DashButton url="/?to=/:account/:zone/security/security-rules" />
2. Select **Create rule** > **Zone lockdown rules**.
2. Select **Create rule** > **Zone lockdown rules**.<br/>
If this option is not available, refer to the instructions below.
3. Enter a descriptive name for the rule in **Name**.
@ -89,6 +91,22 @@ Zone Lockdown is only available in the new security dashboard if you have config
</Steps>
**If you do not have access to Zone Lockdown rules**
Create a [custom rule](/waf/custom-rules/create-dashboard/) to perform zone lockdown:
<Steps>
1. In the Cloudflare dashboard, go to the **Security rules** page.
<DashButton url="/?to=/:account/:zone/security/security-rules" />
2. Select **Templates**, and then select the template **Allow only specified IP addresses**.
3. Fill in the required fields and select **Deploy**.
</Steps>
</TabItem> <TabItem label="API">
Issue a `POST` request for the [Create a Zone Lockdown rule](/api/resources/firewall/subresources/lockdowns/methods/create/) operation similar to the following:
@ -146,6 +164,23 @@ The following example rule will only allow visitors connecting from a company
This example would not protect an internal wiki located on a different directory path such as `example.com/internal/wiki`.
:::note
A [custom rule](/waf/custom-rules/create-dashboard/) with an equivalent behavior would have the following configuration:
**Description**:<br/>
`Block all traffic to staging and wiki unless it comes from HQ or branch offices`
**Expression**:
```txt
((http.host eq "staging.example.com") or (http.host eq "example.com" and http.request.uri.path wildcard "/wiki/*")) and not ip.src in {192.0.2.0/24 2001:DB8::/64 203.0.133.1}
```
**Action**: _Block_
:::
## Access denied example
A visitor from an unauthorized IP will get the following error when there is a match for a zone lockdown rule: