diff --git a/src/content/docs/fundamentals/reference/under-attack-mode.mdx b/src/content/docs/fundamentals/reference/under-attack-mode.mdx index df35ff624991b1a..acf75f2c931d579 100644 --- a/src/content/docs/fundamentals/reference/under-attack-mode.mdx +++ b/src/content/docs/fundamentals/reference/under-attack-mode.mdx @@ -2,31 +2,29 @@ pcx_content_type: reference source: https://support.cloudflare.com/hc/en-us/articles/200170076-Understanding-Cloudflare-Under-Attack-mode-advanced-DDOS-protection- title: Under Attack mode - --- import { Example } from "~/components" -Cloudflare's **I'm Under Attack Mode** performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked. It is designed to be used as one of the last resorts when a zone is under attack (and will temporarily pause access to your site and impact your site analytics). +Cloudflare's Under Attack mode performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked. It is designed to be used as one of the last resorts when a zone is under attack (and will temporarily pause access to your site and impact your site analytics). When enabled, visitors receive an interstitial page. -## Enable Under Attack mode +## Turn on Under Attack mode -**I'm Under Attack Mode** is disabled by default for your zone. +Under Attack mode is turned off by default for your zone. ### Globally -To put your entire zone in **I'm Under Attack Mode**: +To put your entire zone in Under Attack mode: -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com). 2. Select your account and zone. -3. Go to **Security** > **Settings**. -4. For **Security Level**, choose **I'm Under Attack!**. +3. In the zone overview page, turn on **Under Attack Mode** in the **Quick Actions** sidebar. ### Selectively -To enable **I'm Under Attack Mode** for specific pages or sections of your site, use a [Configuration Rule](/rules/configuration-rules/) to adjust the **Security Level**. +To enable Under Attack mode for specific pages or sections of your site, use a [configuration rule](/rules/configuration-rules/) to adjust the **Security Level**. @@ -48,11 +46,11 @@ If you are using the Expression Editor, enter the following expression:
To turn it on for specific ASNs (hosts/ISPs that own IP addresses), countries, or IP ranges, use [IP Access Rules](/waf/tools/ip-access-rules/). -*** +--- ## Preview Under Attack mode -To preview what **I'm Under Attack** mode looks like for your visitors: +To preview what Under Attack mode looks like for your visitors: 1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). 2. Select your account. @@ -60,9 +58,9 @@ To preview what **I'm Under Attack** mode looks like for your visitors: 4. Go to **Custom Pages**. 5. For **Managed Challenge / I'm Under Attack Mode™**, select **Custom Pages** > **View default**. -The "Checking your browser before accessing..." challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [**Challenge Passage**](/waf/tools/challenge-passage/). +The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/waf/tools/challenge-passage/). -*** +--- ## Potential issues diff --git a/src/content/docs/rules/configuration-rules/create-api.mdx b/src/content/docs/rules/configuration-rules/create-api.mdx index f6f0857daae471d..011e62613fe17ba 100644 --- a/src/content/docs/rules/configuration-rules/create-api.mdx +++ b/src/content/docs/rules/configuration-rules/create-api.mdx @@ -61,9 +61,9 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \ -
+
-The following example sets the rules of an existing phase ruleset (`{ruleset_id}`) to a single configuration rule — turning on I'm Under Attack mode for the administration area — using the [Update a zone ruleset](/api/resources/rulesets/methods/update/) operation: +The following example sets the rules of an existing phase ruleset (`{ruleset_id}`) to a single configuration rule — turning on Under Attack mode for the administration area — using the [Update a zone ruleset](/api/resources/rulesets/methods/update/) operation: ```bash title="Request" curl --request PUT \ diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx index 2e7dd2fa79dba2f..eae847e80198310 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx @@ -6,10 +6,9 @@ sidebar: head: - tag: title content: Troubleshooting Domain Control Validation - --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; Taking into account the [steps involved in DCV](/ssl/edge-certificates/changing-dcv-method/dcv-flow/), some situations may interfere with certificate issuance and renewal. @@ -24,12 +23,14 @@ If you are using the Cloudflare API, error messages are presented under the `val If you have issues while HTTP DCV is in place, review the following settings: -* **Anything affecting `/.well-known/*`**: Review [WAF custom rules](/waf/custom-rules/), [IP Access Rules](/waf/tools/ip-access-rules/), and other [configuration rules](/rules/configuration-rules/) to make sure that your rules *do not* enable interactive challenge on the validation URL. +- **Anything affecting `/.well-known/*`**: Review [WAF custom rules](/waf/custom-rules/), [IP Access Rules](/waf/tools/ip-access-rules/), and other [configuration rules](/rules/configuration-rules/) to make sure that your rules _do not_ enable interactive challenge on the validation URL. -* **Cloudflare Account Settings** and **Page Rules**: Review your [account settings](/fundamentals/reference/under-attack-mode/), [Configuration Rules](/rules/configuration-rules/), and [Page Rules](/rules/page-rules/) to ensure you have not enabled **I'm Under Attack Mode** on the validation URL. +- **Cloudflare Account Settings** and **Page Rules**: Review your [account settings](/fundamentals/reference/under-attack-mode/), [Configuration Rules](/rules/configuration-rules/), and [Page Rules](/rules/page-rules/) to ensure you have not enabled Under Attack mode on the validation URL. :::caution - + + + ::: ## Redirection @@ -44,14 +45,14 @@ When using [Redirect Rules](/rules/url-forwarding/single-redirects/) the `/.well The errors below refer to situations that have to be addressed at the authoritative DNS provider: -* `the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogus` -* `Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.` +- `the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogus` +- `Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.` Consider the following when troubleshooting: -* [DNSSEC](https://www.cloudflare.com/learning/dns/dns-security/) must be configured correctly. You can use [DNSViz](https://dnsviz.net/) to understand and troubleshoot the deployment of DNSSEC. -* Your [CAA records](/ssl/edge-certificates/caa-records/) should allow Cloudflare's partner [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) to issue certificates on your behalf. -* The HTTP verification process is done preferably over **IPv6**, so if any `AAAA` record exists and does not point to the same dual-stack location as the `A` record, the validation will fail. +- [DNSSEC](https://www.cloudflare.com/learning/dns/dns-security/) must be configured correctly. You can use [DNSViz](https://dnsviz.net/) to understand and troubleshoot the deployment of DNSSEC. +- Your [CAA records](/ssl/edge-certificates/caa-records/) should allow Cloudflare's partner [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) to issue certificates on your behalf. +- The HTTP verification process is done preferably over **IPv6**, so if any `AAAA` record exists and does not point to the same dual-stack location as the `A` record, the validation will fail. ## CA errors diff --git a/src/content/docs/terraform/tutorial/add-page-rules.mdx b/src/content/docs/terraform/tutorial/add-page-rules.mdx index d2090f042cdeb69..f5be51950173044 100644 --- a/src/content/docs/terraform/tutorial/add-page-rules.mdx +++ b/src/content/docs/terraform/tutorial/add-page-rules.mdx @@ -236,7 +236,7 @@ cloudflare_page_rule.increase-security-on-expensive-page: Creation complete afte Apply complete! Resources: 2 added, 0 changed, 0 destroyed. ``` -With the Page Rules in place, try that call again, along with a test for the I'm Under Attack mode: +With the Page Rules in place, try that call again, along with a test for the Under Attack mode: ```sh curl -vso /dev/null https://www.example.com/old-location.php 2>&1 | grep "< HTTP\|Location" @@ -255,4 +255,4 @@ curl -vso /dev/null https://www.example.com/expensive-db-call 2>&1 | grep "< HTT < HTTP/1.1 503 Service Temporarily Unavailable ``` -The call works as expected. In the first case, the Cloudflare global network responds with a `301` redirecting the browser to the new location. In the second case, the Cloudflare global network initially responds with a `503`, which is consistent with the I'm Under Attack mode. +The call works as expected. In the first case, the Cloudflare global network responds with a `301` redirecting the browser to the new location. In the second case, the Cloudflare global network initially responds with a `503`, which is consistent with the Under Attack mode. diff --git a/src/content/docs/waf/tools/ip-access-rules/actions.mdx b/src/content/docs/waf/tools/ip-access-rules/actions.mdx index 7f96c224b586a50..4d7ca0ed62ab472 100644 --- a/src/content/docs/waf/tools/ip-access-rules/actions.mdx +++ b/src/content/docs/waf/tools/ip-access-rules/actions.mdx @@ -6,17 +6,16 @@ sidebar: head: - tag: title content: IP Access rules actions - --- An IP Access rule can perform one of the following actions: -* **Block**: Prevents a visitor from visiting your site. +- **Block**: Prevents a visitor from visiting your site. -* **Allow**: Excludes visitors from all security checks, including [Browser Integrity Check](/waf/tools/browser-integrity-check/), [I'm Under Attack Mode](/fundamentals/reference/under-attack-mode/), and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The *Allow* action takes precedence over the *Block* action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions). +- **Allow**: Excludes visitors from all security checks, including [Browser Integrity Check](/waf/tools/browser-integrity-check/), [Under Attack mode](/fundamentals/reference/under-attack-mode/), and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The _Allow_ action takes precedence over the _Block_ action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions). -* **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare challenges](/waf/reference/cloudflare-challenges/#managed-challenge-recommended). +- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare challenges](/waf/reference/cloudflare-challenges/#managed-challenge-recommended). -* **JavaScript Challenge**: Presents the [I'm Under Attack Mode](/fundamentals/reference/under-attack-mode/) interstitial page to visitors. The visitor or client must support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors. +- **JavaScript Challenge**: Presents the [Under Attack mode](/fundamentals/reference/under-attack-mode/) interstitial page to visitors. The visitor or client must support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors. -* **Interactive Challenge**: Requires the visitor to complete an interactive challenge before visiting your site. Prevents bots from accessing the site. +- **Interactive Challenge**: Requires the visitor to complete an interactive challenge before visiting your site. Prevents bots from accessing the site. diff --git a/src/content/docs/waf/troubleshooting/facebook-sharing.mdx b/src/content/docs/waf/troubleshooting/facebook-sharing.mdx index 4d496e85ceff9c7..0c41937111d053a 100644 --- a/src/content/docs/waf/troubleshooting/facebook-sharing.mdx +++ b/src/content/docs/waf/troubleshooting/facebook-sharing.mdx @@ -4,16 +4,15 @@ source: https://support.cloudflare.com/hc/en-us/articles/217720788-Troubleshooti title: Issues sharing to Facebook sidebar: order: 2 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; -Cloudflare does not block or challenge requests from Facebook by default. However, a post of a website to Facebook returns an *Attention Required* error in the following situations: +Cloudflare does not block or challenge requests from Facebook by default. However, a post of a website to Facebook returns an _Attention Required_ error in the following situations: -* You have globally set the [security level](/waf/tools/security-level/) to *I'm Under Attack*. -* There is a [configuration rule](/rules/configuration-rules/) or [page rule](/rules/page-rules/) setting the security level to *I'm Under Attack*. -* There is a [custom rule](/waf/custom-rules/) with a challenge or block action that includes a Facebook IP address. +- You have globally set the [security level](/waf/tools/security-level/) to _I'm Under Attack_. +- There is a [configuration rule](/rules/configuration-rules/) or [page rule](/rules/page-rules/) setting turning on Under Attack mode. +- There is a [custom rule](/waf/custom-rules/) with a challenge or block action that includes a Facebook IP address. A country challenge can block a Facebook IP address. Facebook is known to crawl from both the US and Ireland. @@ -21,9 +20,9 @@ A country challenge can block a Facebook IP address. Facebook is known to crawl To resolve issues sharing to Facebook, do one of the following: -* Remove the corresponding IP, ASN, or country custom rule that challenges or blocks Facebook IPs. -* Create a [skip rule](/waf/custom-rules/skip/) for ASNs `AS32934` and `AS63293` (use the *Skip* action and configure the rule to skip **Security Level**). -* Review existing configuration rules and Page Rules and make sure they are not affecting requests from Facebook IPs. +- Remove the corresponding IP, ASN, or country custom rule that challenges or blocks Facebook IPs. +- Create a [skip rule](/waf/custom-rules/skip/) for ASNs `AS32934` and `AS63293` (use the _Skip_ action and configure the rule to skip **Security Level**). +- Review existing configuration rules and Page Rules and make sure they are not affecting requests from Facebook IPs. If you experience issues with Facebook sharing, you can re-scrape pages via the **Fetch New Scrape Information** option on Facebook's Object Debugger. Facebook [provides an API](https://developers.facebook.com/docs/sharing/opengraph/using-objects) to help update a large number of resources. diff --git a/src/content/partials/waf/security-level-scores.mdx b/src/content/partials/waf/security-level-scores.mdx index e5a5e57aae68de1..e4bce01071eba36 100644 --- a/src/content/partials/waf/security-level-scores.mdx +++ b/src/content/partials/waf/security-level-scores.mdx @@ -19,11 +19,11 @@ The available security levels are the following: Selecting a higher **Security Level** value means that even requests with a lower risk (that is, with a low [threat score](#threat-score)) will be challenged. Selecting a lower **Security Level** value means that only requests posing a higher risk (that is, with a high threat score) will be challenged. -Security levels from _Essentially off_ to _High_ will challenge the visitor using a Managed Challenge. When you select _I'm Under Attack!_, which enables [I'm Under Attack mode](/fundamentals/reference/under-attack-mode/), Cloudflare will present a JS challenge page. +Security levels from _Essentially off_ to _High_ will challenge the visitor using a Managed Challenge. When you select _I'm Under Attack!_, which enables [Under Attack mode](/fundamentals/reference/under-attack-mode/), Cloudflare will present a JS challenge page. :::caution -Only use [I'm Under Attack mode](/fundamentals/reference/under-attack-mode/) when a website is under a DDoS attack. I'm Under Attack mode may affect some actions on your domain, such as your API traffic. +Only use [Under Attack mode](/fundamentals/reference/under-attack-mode/) when a website is under a DDoS attack. Under Attack mode may affect some actions on your domain, such as your API traffic. To set a custom security level for your API or any other part of your domain, create a [configuration rule](/rules/configuration-rules/). :::