Hi @alx359 thanks for trying our newest plugin!
That is great question… So the rules are supposed to be pretty tight, and Hetzner and a lot of others like Digital Ocean and Vultr are fairly large ASNs that a ton of malicious traffic can come from. The idea is to add those ASNs to the Challenge or Block rules, and then you add specific IPs or User Agents to the first SKIP rule, and you’re typically all good.
If you add an ASN to the Challenge vs the Block rule, I don’t see a big difference because most bots are not going to pass the challenge and so will be blocked anyway… but for your proxy use case, for a user and browser being proxied across, then the challenge rule makes total sense, and you can do it per IP or per User Agent as well, vs an entire ASN, which opens it up often too much, but hey if it works, then you’re still protected from all the others.
The plugin is made to get you to a good starting place across many domains in bulk easily, and then you can go in and still tweak them yourself as needed.
The Premium version adds awesome checkboxes for easy SKIP rule customization to allow services and their user agents or IPs to be allowed through across many domains at once as well, without having to dig into Cloudflare’s rules UI per domain, and I would def recommend the free trial to see how you like it.
Thread Starter
alx359
(@alx359)
Hey Rob,
Thanks for your reply. I just tweaked the rules in code, as the bulk deployment is what I like your plugin for, obviously.
If you add an ASN to the Challenge vs the Block rule, I don’t see a big difference because most bots are not going to pass the challenge and so will be blocked anyway…
Think you’re missing the point. Bots gonna bot and get blocked anyway, yes, but users/customers are gonna to, big difference! Before tweaking the code, got my sites blocked with no recourse. That defeats the purpose of protection, doesn’t it.
I understand you want premium customers, but would really be nice if in an advanced screen you just expose the rules in a plain textbox to allow the raw tweaking, instead one having to do the plugin in code or go to CF individually. Premiums can still enjoy the bulk exp builder alternative you seem to imply in your offer.
Hi @alx359 I’m looking into adding a “code display” type of rules expression view/edit, to help solve this.
I mentioned your point directly, proxying users is a great case for using the Challenge rule, I understand that. I was suggesting that the Skip rule is also possible so that an entire ASN is not moved, and it could be more specific, which is always best practice. But I’m glad you were able to edit the rules and have it work out well for you.
Please consider leaving a review, as I’d love others to know it worked well for you, and as we work on more features, it will be much more useful for more folks as well.
Thread Starter
alx359
(@alx359)
I’m looking into adding a “code display” type of rules expression view/edit, to help solve this.
Great! Sprinkle in some syntax highlighting and its gonna be golden to premiums. Personally I’d do fine with just 3 hooks so can continue doing it in notepad instead and survive the updates.
Other feature to consider is toggling ‘Under Attack Mode’ in bulk. It’s a nuisance going through so many sites one by one when getting hammered (never figured that toggle at account level despite what CF docs say). Your plugin has helped a lot though.
ASN is not moved, and it could be more specific, which is always best practice.
I see the point and you’re probably right in principle. Just can’t figure a sensible scenario for this docked vessel approach yet. Rules are quite complex as-is and see no immediate benefit making them worse, if the challenge-response box can do essentially the same job with less risk of leaving someone out.
Please consider leaving a review
Will do.
Hi @alx359 Thanks for your 5 star review! I just pushed out v1.0.5 which adds 3 filters for the expressions, so you can add code snippets to override or append to the existing default rule expressions. The no-code checkbox options in the Premium version are still the best way to save custom sets of user agents and reuse them as needed. Docs and examples of the new filters.
I’ll dig into what it would entail to add a bulk Security Level setting, that would be a great addition. I also want to add bulk “Add Security Headers” as well, and maybe some other common settings that people enable on most sites that are a pain to click around and do for each site.
Thanks for your suggestions, and I look forward to hearing back on how you like the new hooks. I’ll keep improving the plugin, and hope folks find value in it.
Thread Starter
alx359
(@alx359)
Thanks for the filters. 1.0.5 isn’t working for me though. Attempting the default ruleset (no filters) with API or global auth gives me an error when trying to update a single domain:
Failed to update ruleset for domain: whatever.com. Error: Unknown error
Rolled back to 1.0.4 and it’s working fine. Upgraded to 1.0.5 again keeping the same 1.0.4 credentials and the error shows up again.
2nd suspect was some typo in the default rules concatenation but even with return $expression='' in the filters still got the same issue.
If you’d need assistance debugging this let me know.
@alx359 Ah ok, let me get that fixed… I think the filters added a bit more complexity to the expression handling, I’ll get it patched here real quick.
@alx359 Ok v1.0.6 fixes the CF API issue with the new filters, and improved error handling so it gives more specific errors when they occur. Give it a try again.
Thread Starter
alx359
(@alx359)
Thanks! It works.
Would you consider yet another filter:
$rules_api_payload = array_map( function ( $rule ) {
#alx359:added
$rule['description'] = apply_filters('fivestar_cfwaf_rule_description', $rule['description'], $rule );
if ( isset( $rule['key'] ) ) {
unset($rule['key']);
}
return $rule;
}, $rules );
Example:
add_filter('fivestar_cfwaf_rule_description', 'cfwaf_rule_description', 10, 2);
function cfwaf_rule_description( $description, $rule ) {
$d = strtolower($description);
return match (true) {
str_contains($d, 'skip') => '1. WAF Skip',
str_contains($d, 'challenge') => '2. WAF Challenge',
str_contains($d, 'block') => '3. WAF Block',
default => $description,
};
}
It’s cosmetic I know, but think it helps keep things tidier according one’s preferences and circumstances.
@alx359 Oh a filter for the rule names themselves… ok let me look at adding that shortly.
