microdevops.com-Dedicated, VPS, Cloud Server Setup, Support, Backup, Monitoring, Inventory. Configuration Management, Infrastructure as Code, DevOps. Docker, Repository, Registry Management. Pipeline Automation, CI, App Deployment to Environments, Kubernetes.

Blog

  • Home
  • /
  • Posts
  • /
  • WAF in CF Pro and again better monitoring
Company

WAF in CF Pro and again better monitoring

новина 23.10.23 0

We have developed for ourselves an optimal set of WAF rules, which can be set on the CloudFlare Pro plan to protect a typical online store:

    1. Allow (Skip all components) AS15169 (Google), as practice has shown, for example, Google Merchant is not included in Known Bots, so it is better to open all Google
    2. Allow Known Bots – for normal indexing, SEO
    3. Allow IP addresses of partners: catalogs, banks, etc
    4. Allow back office server IP addresses
    5. Allow monitoring IP addresses
    6. Allow access to custom URIs with feeds (eg .xml)
    7. Block the admin pages for all IPs except the trusted list
    8. Block all countries except the ones you need, for example for Europe: (not ip.geoip.country in {"AL" "AT" "BE" "BA" "HR" "CZ" "DK" "EE" "FI" "FR" "DE" "GR" "HU" "IE" "IT" "LV" "LT" "MK" "MD" "ME" "NL" "NO" "PL" "PT" "RO" "RS" "SK" "SI" "ES" "SE" "UA" "GB" "BG"})
    9. It is also worth checking that cron requests from the server bypass CF, for example like this: /usr/bin/curl --resolve example.com:443:127.0.0.1

Added standard pillars that regulate the behavior of segfault, coredump monitoring: lower priority or disable, and added exceptions to typical sources of noise in monitoring.

Updated GitLab for clients to version 16.3.4.

Returned the default LA (Load Average) monitoring – for a while it created too much noise because it was not set up perfectly, now it is back, creating several standard pillars with different trigger thresholds for convenience.

Fixed the bug in the heartbeat service, which led to unstable operation of this service.

Added the option to specify empty_db: ['ALL'] in the rsnapshot_backup checks, this setting disables checking the presence of data in database dumps, but leaves other checks.

Made several standard pillars that allow you to connect to a port from the Internet, in which an exception for monitoring open ports is made at the same time, for example this one.

Added the ability to specify nginx_reload_cmd_prefix, which allows, for example, to set ulimit -n ... for this command, which is necessary when hosting thousands of sites on one server.

Fixed state error cmd_check_alert, which slowed down the execution of this state and led to short-term monitoring errors in some situations.

Post Views: 142
Share this post