diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx index ffc65eb9c563a3..dfec12f7d765ea 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/http/configure-api.mdx @@ -22,7 +22,7 @@ Use overrides to configure the HTTP DDoS Attack Protection managed ruleset. Over Overrides can have a ruleset, tag, or rule scope. Tag and rule configurations have greater priority than ruleset configurations. -You can create overrides at the zone level and at the account level. Account-level overrides allow you to apply the same override to several zones in your account with a single rule. For example, you can use an account-level override to lower the sensitivity of a specific managed ruleset rule or exclude an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) for multiple zones. However, if a given zone has overrides for the HTTP DDoS Attack Protection managed ruleset, the account-level overrides will not be evaluated for that zone. +You can create overrides at the zone level and at the account level. Account-level overrides allow you to apply the same override to several zones in your account with a single rule. For example, you can use an account-level override to lower the sensitivity of a specific managed ruleset rule or exclude an [IP list](/waf/tools/lists/custom-lists/#ip-lists) for multiple zones. However, if a given zone has overrides for the HTTP DDoS Attack Protection managed ruleset, the account-level overrides will not be evaluated for that zone. :::caution[Important] @@ -141,7 +141,7 @@ For more information on defining overrides for managed rulesets using the Rulese ### Account-level configuration example -The following `PUT` example creates a new phase ruleset (or updates the existing one) for the `ddos_l7` phase at the account level. The example defines a single rule override for requests coming from IP addresses in the `allowlisted_ips` [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists), with the following configuration: +The following `PUT` example creates a new phase ruleset (or updates the existing one) for the `ddos_l7` phase at the account level. The example defines a single rule override for requests coming from IP addresses in the `allowlisted_ips` [IP list](/waf/tools/lists/custom-lists/#ip-lists), with the following configuration: - The rule with ID ``, belonging to the HTTP DDoS Attack Protection managed ruleset (with ID ``), will have an `eoff` (_Essentially Off_) sensitivity level and it will perform a `log` action. diff --git a/src/content/docs/firewall/cf-dashboard/rule-preview.mdx b/src/content/docs/firewall/cf-dashboard/rule-preview.mdx index f1e8c88dbf1253..5f12f9a07c6db6 100644 --- a/src/content/docs/firewall/cf-dashboard/rule-preview.mdx +++ b/src/content/docs/firewall/cf-dashboard/rule-preview.mdx @@ -36,6 +36,6 @@ In this screenshot, a rule that matches all User-Agents that contain the string **Rule Preview does not take into account other firewall rules** that you have already configured. In effect, Rule Preview tests a single firewall rule in isolation. Security events or any other rules with a higher priority that may have blocked or challenged a request are ignored. -**You cannot test firewall rules that reference [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists)**. +**You cannot test firewall rules that reference [IP lists](/waf/tools/lists/custom-lists/#ip-lists)**. **Cloudflare does not store the entirety of requests, so only a limited number of fields are available to Rule Preview**. The table below lists the fields that Rule Preview supports (green cells), broken down by operator. Fields and operators that are not supported are not included in this table. diff --git a/src/content/docs/firewall/cf-firewall-rules/index.mdx b/src/content/docs/firewall/cf-firewall-rules/index.mdx index 2b270eff2f3e03..dda628b27ae537 100644 --- a/src/content/docs/firewall/cf-firewall-rules/index.mdx +++ b/src/content/docs/firewall/cf-firewall-rules/index.mdx @@ -16,6 +16,6 @@ Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HT -In a firewall rule you define an [expression](/ruleset-engine/rules-language/expressions/) that tells Cloudflare what to look for in a request, and specify the appropriate [action](/firewall/cf-firewall-rules/actions/) to take when those conditions are met. Expressions can reference [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) - groups of IP addresses that you can reference collectively by name. +In a firewall rule you define an [expression](/ruleset-engine/rules-language/expressions/) that tells Cloudflare what to look for in a request, and specify the appropriate [action](/firewall/cf-firewall-rules/actions/) to take when those conditions are met. Expressions can reference [IP lists](/waf/tools/lists/custom-lists/#ip-lists) - groups of IP addresses that you can reference collectively by name. To write firewall rule expressions, use the [Rules language](/ruleset-engine/rules-language/), a powerful expression language inspired in the Wireshark Display Filter language. diff --git a/src/content/docs/magic-firewall/about/list-types.mdx b/src/content/docs/magic-firewall/about/list-types.mdx index f7064119edfdd3..f7fa55a7dfe60f 100644 --- a/src/content/docs/magic-firewall/about/list-types.mdx +++ b/src/content/docs/magic-firewall/about/list-types.mdx @@ -11,7 +11,7 @@ The threat intelligence feed categories are described in [Managed IP Lists](/waf ## IP lists -Use [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/magic-firewall/how-to/add-rules/#use-an-ip-list) to check an example of how to use an IP list. +Use [IP lists](/waf/tools/lists/custom-lists/#ip-lists) to group services in networks, like web servers, or for lists of known bad IP addresses to make managing good network endpoints easier. IP lists are helpful for users with very expansive firewall rules with many IP lists. By default, you can add up to 10,000 IPs across all lists. Refer to [Use an IP list](/magic-firewall/how-to/add-rules/#use-an-ip-list) to check an example of how to use an IP list. ## Geo-blocking diff --git a/src/content/docs/magic-firewall/best-practices/extended-ruleset.mdx b/src/content/docs/magic-firewall/best-practices/extended-ruleset.mdx index 190494a5e4d6bc..5acf82ee9b9c89 100644 --- a/src/content/docs/magic-firewall/best-practices/extended-ruleset.mdx +++ b/src/content/docs/magic-firewall/best-practices/extended-ruleset.mdx @@ -71,7 +71,7 @@ Rule 10 in the example ruleset below is acting as a catch-all to block all traff Follow the best practices for internal routers or firewall interface IP addresses on your MT prefixes below. -1. Create [an IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists), **Internal routers** for example, with your IP addresses. +1. Create [an IP list](/waf/tools/lists/custom-lists/#ip-lists), **Internal routers** for example, with your IP addresses. 2. Block ICMP if it is not needed. 3. Permit GRE/ESP as needed if the devices have GRE/IPsec tunnels via the Internet. @@ -101,7 +101,7 @@ Where possible, permit the required destination IP addresses and ports for web s The following is an example of suggested rules, but you should only make changes based on your specific requirements. For example, if you are not proxied by Cloudflare Layer 7 protection and you expect traffic sourced from the web towards your web servers: -1. Create [an IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists), **web servers** for example, to list IP addresses for your web servers. +1. Create [an IP list](/waf/tools/lists/custom-lists/#ip-lists), **web servers** for example, to list IP addresses for your web servers. 2. Permit traffic for the web server traffic inbound from the Internet. 3. Permit traffic for the infrastructure or client traffic flows from the Internet, for example DNS and NTP. 4. Block all other traffic destined for the web server IP addresses. diff --git a/src/content/docs/magic-firewall/how-to/use-rules-list.mdx b/src/content/docs/magic-firewall/how-to/use-rules-list.mdx index efc41f17fea1aa..71a9c77420563d 100644 --- a/src/content/docs/magic-firewall/how-to/use-rules-list.mdx +++ b/src/content/docs/magic-firewall/how-to/use-rules-list.mdx @@ -8,7 +8,7 @@ head: content: Define an IP list --- -[IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) are a part of Cloudflare's custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions. +[IP lists](/waf/tools/lists/custom-lists/#ip-lists) are a part of Cloudflare's custom lists. Custom lists contain one or more items of the same type — IP addresses, hostnames or ASNs — that you can reference in rule expressions. IP lists are defined at the account level and can be used to match against `ip.src` and `ip.dst` fields. Currently, Magic Firewall only supports IPv4 addresses in these lists, not IPv6. diff --git a/src/content/docs/rules/snippets/examples/maintenance.mdx b/src/content/docs/rules/snippets/examples/maintenance.mdx index 901d191552b112..b7a4acb2809849 100644 --- a/src/content/docs/rules/snippets/examples/maintenance.mdx +++ b/src/content/docs/rules/snippets/examples/maintenance.mdx @@ -12,30 +12,33 @@ title: Maintenance page description: Serve a custom maintenance page instead of fetching content from the origin server or cache. Ideal for downtime notifications, planned maintenance, or emergency messages. --- +## Snippet code + ```js // Define your customizable inputs const statusCode = 503; const title = "We'll Be Right Back!"; -const message = "Our site is currently undergoing scheduled maintenance. We’re working hard to bring you a better experience. Thank you for your patience and understanding."; +const message = + "Our site is currently undergoing scheduled maintenance. We’re working hard to bring you a better experience. Thank you for your patience and understanding."; const estimatedTime = "1 hour"; const contactEmail = "support@example.com"; const contactPhone = "+1 234 567 89"; export default { - async fetch(request) { - // Serve the maintenance page as a response - return new Response(generateMaintenancePage(), { - status: statusCode, - headers: { - "Content-Type": "text/html", - "Retry-After": "3600", // Suggest retry after 1 hour - }, - }); - }, + async fetch(request) { + // Serve the maintenance page as a response + return new Response(generateMaintenancePage(), { + status: statusCode, + headers: { + "Content-Type": "text/html", + "Retry-After": "3600", // Suggest retry after 1 hour + }, + }); + }, }; function generateMaintenancePage() { - return ` + return ` @@ -105,3 +108,19 @@ function generateMaintenancePage() { `; } ``` + +## Snippet rule + +Configure a custom filter expression: + +| Field | Operator | Value | +| ----------------- | -------------- | ----------- | +| IP Source Address | is not in list | `admin_ips` | + +If you are using the Expression Editor, enter the following expression: + +```txt +(not ip.src in $admin_ips) +``` + +The [IP list](/waf/tools/lists/custom-lists/#ip-lists) `admin_ips` was previously created and contains the list of IP addresses of the site administrators, which will be able to access the site during the maintenance period. diff --git a/src/content/docs/rules/snippets/examples/slow-suspicious-requests.mdx b/src/content/docs/rules/snippets/examples/slow-suspicious-requests.mdx index a5510f307e7ba5..dbc458e80eca0e 100644 --- a/src/content/docs/rules/snippets/examples/slow-suspicious-requests.mdx +++ b/src/content/docs/rules/snippets/examples/slow-suspicious-requests.mdx @@ -1,7 +1,7 @@ --- type: example summary: Define a delay to be used when incoming requests match a rule you - consider suspicious. + consider suspicious based on the bot score. goal: - Other operation: @@ -11,9 +11,11 @@ products: pcx_content_type: example title: Slow down suspicious requests description: Define a delay to be used when incoming requests match a rule you - consider suspicious. + consider suspicious based on the bot score. --- +## Snippet code + ```js export default { async fetch(request) { @@ -30,3 +32,17 @@ export default { }, }; ``` + +## Snippet rule + +Configure a custom filter expression: + +| Field | Operator | Value | +| --------- | --------- | ----- | +| Bot Score | less than | `10` | + +If you are using the Expression Editor, enter the following expression: + +```txt +(cf.bot_management.score lt 10) +``` diff --git a/src/content/docs/rules/snippets/how-it-works.mdx b/src/content/docs/rules/snippets/how-it-works.mdx index f56423cb1b9a12..b9622558fd30c3 100644 --- a/src/content/docs/rules/snippets/how-it-works.mdx +++ b/src/content/docs/rules/snippets/how-it-works.mdx @@ -6,14 +6,13 @@ sidebar: head: - tag: title content: How it works - --- Cloudflare Snippets are executed based on rules defined within your zone. Here is how the process works: ## Request evaluation -For each incoming request, Cloudflare evaluates the expression of every Snippet Rule defined in the zone. The evaluation checks for a match based on various request properties (such as bot score, country of origin, cookies). +For each incoming request, Cloudflare evaluates the expression of every Snippet Rule defined in the zone. The evaluation checks for a match based on various request properties (such as bot score, WAF attack score, country of origin, and cookies). ## Snippet execution diff --git a/src/content/docs/rules/transform/response-header-modification/index.mdx b/src/content/docs/rules/transform/response-header-modification/index.mdx index 8b2decd9d84d78..e6b6bc60ff1176 100644 --- a/src/content/docs/rules/transform/response-header-modification/index.mdx +++ b/src/content/docs/rules/transform/response-header-modification/index.mdx @@ -55,7 +55,7 @@ You can create a response header transform rule [in the dashboard](/rules/transf - You cannot modify the value of certain headers such as `server`, `eh-cache-tag`, or `eh-cdn-cache-control`. -- Currently you cannot reference [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) in expressions of Response Header Transform Rules. +- Currently you cannot reference [IP lists](/waf/tools/lists/custom-lists/#ip-lists) in expressions of Response Header Transform Rules. - The HTTP response header removal operation will remove all response headers with the provided name. diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx index c53f30fcdf329a..013abc89491547 100644 --- a/src/content/docs/ruleset-engine/rules-language/values.mdx +++ b/src/content/docs/ruleset-engine/rules-language/values.mdx @@ -104,6 +104,7 @@ Cloudflare Business and Enterprise customer plans have access to the `matches` [ Cloudflare has a few limits in place regarding regular expressions. One of those limits is that each rule supports a maximum of 64 regular expressions (regexes), regardless of your domain's plan. You can use the following strategies to reduce the number of regular expressions in a rule: + - Use the [`contains`](/ruleset-engine/rules-language/operators/#comparison-operators) operator. - Use the [`wildcard`](/ruleset-engine/rules-language/operators/#wildcard-matching) / [`strict wildcard`](/ruleset-engine/rules-language/operators/#wildcard-matching) operators. - Use the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) and [`ends_with()`](/ruleset-engine/rules-language/functions/#ends_with) functions. @@ -236,7 +237,7 @@ Lists allow you to create a group of items and refer to them collectively, by na To refer to a list in a rule expression, use `$` and specify the `in` [operator](/ruleset-engine/rules-language/operators/). Only one value in the list has to match the left-hand side of the expression (before the `in` operator) for the simple expression to evaluate to `true`. If there is no match, the expression will evaluate to `false`. -The following example expression filters requests from IP addresses that are in an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) named `office_network`: +The following example expression filters requests from IP addresses that are in an [IP list](/waf/tools/lists/custom-lists/#ip-lists) named `office_network`: ```sql (ip.src in $office_network) @@ -267,5 +268,3 @@ ip.src in {198.51.100.1 198.51.100.3..198.51.100.7 192.0.2.0/24 2001:0db8::/32} tcp.dstport in {8000..8009 8080..8089} ``` - - diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx index 6dbb2a7b9539e7..aac2bee70848f7 100644 --- a/src/content/docs/security/settings.mdx +++ b/src/content/docs/security/settings.mdx @@ -96,7 +96,7 @@ This section allows you to configure multiple security-related settings. The fol | [Client-side resource alerts](/page-shield/detection/configure-alerts/#rule-form) | **Security** > **Page Shield** > **Settings**
Account Home > **Notifications** | | [Reporting endpoint](/page-shield/reference/settings/#reporting-endpoint) | **Security** > **Page Shield** > **Settings** | | [Data processing](/page-shield/reference/settings/#connection-target-details) | **Security** > **Page Shield** > **Settings** | -| [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) | Account Home > **Manage Account** > **Configurations** | +| [IP lists](/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** > **Configurations** | | [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** > **Settings** | | [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** > **Settings** | | [Custom sensitive data deployment](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) | **Security** > **Sensitive Data** | diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx index 4e3866efdef1cd..22234d990e412d 100644 --- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx +++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-ips-in-allowlist.mdx @@ -6,10 +6,10 @@ head: content: Allow traffic from IP addresses in allowlist only --- -This example skips WAF rules for requests from IP addresses in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists)). +This example skips WAF rules for requests from IP addresses in an allowlist (defined using an [IP list](/waf/tools/lists/custom-lists/#ip-lists)). 1. [Create an IP list](/waf/tools/lists/create-dashboard/) with the IP addresses for which you want to allow access.
- For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). + For example, create an IP list named `allowed_ips` with one or more IP addresses. For more information on the accepted IP address formats, refer to [IP lists](/waf/tools/lists/custom-lists/#ip-lists). 2. Create a custom rule skipping all rules for any request from the IPs in the list you created (`allowed_ips` in the current example). diff --git a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx index 889d27893ccf87..5622f24d0bd5cb 100644 --- a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx +++ b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx @@ -34,7 +34,7 @@ A common use case is to limit the rate of requests performed by individual user Another use case when controlling access to resources is to exclude or include IP addresses or Autonomous System Numbers (ASNs) from a rate limiting rule. -The following example rule allows up to 10 requests per minute from the same IP address doing a `GET` request for `/status`, as long as the visitor's IP address is not included in the `partner_ips` [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). +The following example rule allows up to 10 requests per minute from the same IP address doing a `GET` request for `/status`, as long as the visitor's IP address is not included in the `partner_ips` [IP list](/waf/tools/lists/custom-lists/#ip-lists). | Setting | Value | | ------------------------ | ------------------------------------------------------------------------------------------------------------ | diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx index 7b500291d1cbe5..28ef2b8fe20e69 100644 --- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx +++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx @@ -231,4 +231,4 @@ To use claims inside a JSON Web Token (JWT), you must first set up a [token vali - If the rule expression [includes IP lists](/waf/tools/lists/use-in-expressions/), you must enable the **Also apply rate limiting to cached assets** parameter. -- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) and [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter. +- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) and [IP lists](/waf/tools/lists/custom-lists/#ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter. diff --git a/src/content/docs/waf/tools/ip-access-rules/index.mdx b/src/content/docs/waf/tools/ip-access-rules/index.mdx index 4628c4a17d0c8e..cc63a445890155 100644 --- a/src/content/docs/waf/tools/ip-access-rules/index.mdx +++ b/src/content/docs/waf/tools/ip-access-rules/index.mdx @@ -22,7 +22,7 @@ IP Access rules are commonly used to block or challenge suspected malicious traf Cloudflare recommends that you create [WAF custom rules](/waf/custom-rules/) instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking): -- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists) in the custom rule expression. +- For IP-based blocking, use an [IP list](/waf/tools/lists/custom-lists/#ip-lists) in the custom rule expression. - For geoblocking, use fields such as _AS Num_, _Country_, and _Continent_ in the custom rule expression. --- diff --git a/src/content/docs/waf/tools/lists/custom-lists.mdx b/src/content/docs/waf/tools/lists/custom-lists.mdx index 51b78d7263ef79..b1020d1d1e8fde 100644 --- a/src/content/docs/waf/tools/lists/custom-lists.mdx +++ b/src/content/docs/waf/tools/lists/custom-lists.mdx @@ -11,7 +11,7 @@ A custom list contains one or more items of the same type (for example, IP addre Cloudflare supports the following custom list types: -- [Lists with IP addresses](#lists-with-ip-addresses-ip-lists) (also known as IP lists) +- [Lists with IP addresses](#ip-lists) (also known as IP lists) - [Lists with hostnames](#lists-with-hostnames) - [Lists with ASNs](#lists-with-asns) ([autonomous system](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) numbers) @@ -50,7 +50,7 @@ For more information and examples, refer to [Use lists in expressions](/waf/tool ## Custom list types -### Lists with IP addresses (IP lists) +### Lists with IP addresses (IP lists) {/* ip-lists */} List items in custom lists with IP addresses must be in one of the following formats: