Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation #3735

Open
Staene opened this issue Apr 30, 2024 · 2 comments
Open

[RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation #3735

Staene opened this issue Apr 30, 2024 · 2 comments
Labels
enhancement

Comments

@Staene
Copy link

Staene commented Apr 30, 2024
edited
Loading

Feature request type

Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation

Description

Hi,

Per Cloudflare, the Firewall Access rules used by cloudflare.conf are deprecated and will cease to function on 07/01/2024. They suggest users migrate to WAF Custom Rules.

@Xunnamius has developed a nearly perfect solution, except his action only reports IPv4 addresses via the Cloudflare API, not IPv6 addresses as they must be in their CIDR form.

If I were a programmer, I would try to tackle this myself but I'm not, so I am throwing myself to the mercy of those more skilled. 😄

Considered alternatives

Any additional information
@Staene Staene changed the title [RFE]: [RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation Apr 30, 2024
@Logic-32
Copy link
Contributor

It looks like the Cloudflare notice may have updated as the deadline is now 2025-01-15.

Based on their example of what to do, I'm not sure cloudflare.conf will be supportable going forward. The "more secure" alternative, cloudflare-token.conf, can definitely be updated to add support though.

@dhilowitz
Copy link

For what it's worth, the correct actionban and actionunban are these:

actionban = curl -s -o /dev/null -X POST -H 'Authorization: Bearer <cftoken>' -H 'Content-Type: application/json' -d '[{"ip": "<ip>", "comment" : "Fail2Ban"}]' https://api.cloudflare.com/client/v4/accounts/<cfaccountid>/rules/lists/<cflistid>/items

actionunban = id=$(curl -s -X GET -H 'Authorization: Bearer <cftoken>' -H 'Content-Type: application/json' https://api.cloudflare.com/client/v4/accounts/<cfaccountid>/rules/lists/<cflistid>/items?search=<ip> | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
              curl -s -o /dev/null -X DELETE -H 'Authorization: Bearer <cftoken>' -H 'Content-Type: application/json' -d "{\"items\": [{\"id\": \"$id\"}]}" https://api.cloudflare.com/client/v4/accounts/<cfaccountid>/rules/lists/<cflistid>/items

You will need to set
cfaccountid =
cflistid =

and you will need the token to be a bearer token that applies to the correct zone. it will also need permission on "Account > Account Filter Lists > Edit"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dhilowitz @Logic-32 @Staene