Skip to content

Instantly share code, notes, and snippets.

@JoeyBurzynski

JoeyBurzynski/cloudflare-ASN-bots.md

Created August 25, 2023 16:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JoeyBurzynski/effe50abd8d43c80816f14f510c19546 to your computer and use it in GitHub Desktop.
Save JoeyBurzynski/effe50abd8d43c80816f14f510c19546 to your computer and use it in GitHub Desktop.
Download ZIP
Cloudflare Rules: Allow Good Bots by ASN
Raw
cloudflare-ASN-bots.md

Rule Name: Allow Good Bots (AS15169/Google LLC, AS8075/Microsoft Corporation, AS714/Apple Inc., AS32934/Facebook, Inc., AS17012/PayPal, Inc., AS5091/Stripe, Inc.) Cloudflare WAF Rule: Allow Good Bots: (cf.client.bot and ip.geoip.asnum in {15169 8075 714 32934 17012 5091})

Ex: https://ipinfo.io/AS15169 - Google

WAF Rules

  • Cloudflare offers 5 WAF rules for free accounts.

  • Create Firewall Rule and then paste them in the Edit Expression box.

  • Note: you can look up each individual ASN at https://ipinfo.io/ (enter like https://ipinfo.io/AS136907 where you change the AS number in the URL)

  • Good Bots - Allow: (cf.client.bot and ip.geoip.asnum in {15169 8075 714 32934 17012 5091})

  • Other Bots – Managed Challenge: (cf.client.bot and not ip.geoip.asnum in {15169 8075 714 1477 46475 32934 17012 5091})

  • WP Login – Managed Challenge: http.request.uri.path contains "wp-login")

  • Outside USA – Managed Challenge: (not ip.geoip.country in {"US"})

Adjusting These Rules

  • You may find that a service you use is blocked by a managed challenge.
  • You will need to add the ASN or the IP range manually to the Good Bots Allow rule. You may also need to tweak the Outside USA rule if the service is outside the USA.
  • Other than a Google search, there are 2 options for finding the ASN or IP range of the service that you need to add.
  • Ask support from your service provider what the ASN or IP range is
  • Look at the event log for the WAF rule and open the event details for the blocked event. You’ll see the IP address and ASN there. Screenshot: https://d.pr/i/IHcqCX
  • It’s better to use an ASN since most services use an IP range which might change.

Bots

  • Bot Fight Mode: on

Settings

  • Security Level: Medium (default)
  • Challenge Passage: 30 min (default)
  • Browser Integrity Check: on
  • Privacy Pass Support: on
  • Chrome Extension: https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi?hl=en
  • Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/
  • More info: https://blog.cloudflare.com/supporting-the-latest-version-of-the-privacy-pass-protocol/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment