【Original Article】Based on feedback from some friends, it is said that many attack platforms and software can now easily bypass CloudFlare's 5-second shield. Therefore, the previous CloudFlare 5-second shield script is not as effective anymore. To address this issue, I spent some time modifying the script published by Ben Niu to enable CAPTCHA. However, the API has changed to the official one, making the configuration more complex. Here is the script:
I have obtained verbal consent from the original author.
#github https://github.com/CangShui/clouflarea-auto-firewall
email="[email protected]"
globalapi="7777777777777777777777777"
rulesid1="666666666666666666666666666"
rulesid2="8888888888888888888888888"
zoneid="333333333333333333333333333"
mode="cpu" #Determine server load method: load load method or cpu CPU percentage method. Only one can be selected.
keeptime=240 #How many seconds to continue trying to disable the shield after the load decreases
if [ "$mode" = "cpu" ];
then
check=85 #If the CPU exceeds 85% continuously within 5 seconds, enable the shield. [You can adjust it according to your server load]
#System idle time
TIME_INTERVAL=5
time=$(date "+%Y-%m-%d %H:%M:%S")
LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
LAST_SYS_IDLE=$(echo $LAST_CPU_INFO | awk '{print $4}')
LAST_TOTAL_CPU_T=$(echo $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
sleep ${TIME_INTERVAL}
NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
NEXT_SYS_IDLE=$(echo $NEXT_CPU_INFO | awk '{print $4}')
NEXT_TOTAL_CPU_T=$(echo $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
#System idle time
SYSTEM_IDLE=`echo ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}'`
#Total CPU time
TOTAL_TIME=`echo ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}'`
load=`echo ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}'`
else
load=$(cat /proc/loadavg | colrm 5)
check=$(cat /proc/cpuinfo | grep "processor" | wc -l)
fi
if [ ! -f "/home/status.txt" ];then
echo "" > /home/status.txt
else
status=$(cat /home/status.txt)
echo $status
fi
now=$(date +%s)
time=$(date +%s -r /home/status.txt)
echo "Current $mode load: $load"
if [[ $status -eq 1 ]]
then
echo "Currently enabled"
else
echo "Currently disabled"
fi
newtime=`expr $now - $time`
closetime=`expr $keeptime - $newtime`
if [[ $load <$check ]]&&[[ $status -eq 1 ]]&&[[ $newtime -gt $keeptime ]]
then
echo -e "\n$mode load is lower than $check, and the shield has been enabled for more than half an hour ($newtime seconds). Trying to disable the shield"
cResult=$(
curl -X PUT \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $globalapi" \
-H "Content-Type: application/json" \
-d '{
"id": "$rulesid1",
"paused": true,
"description": "All CAPTCHA",
"action": "challenge",
"priority": 1000,
"filter": {
"id": "'$rulesid2'"
}
}' "https://api.cloudflare.com/client/v4/zones/$zoneid/firewall/rules/$rulesid1"
)
echo $cResult
size=${#cResult}
if [[ $size -gt 10 ]]
then
echo 0 > /home/status.txt
echo -e "\nShield disabled successfully"
fi
elif [[ $load <$check ]]
then
echo -e "\n$mode load is lower than $check, no changes made, $newtime seconds"
if [[ $status -eq 1 ]]
then
echo -e "The shield will be disabled in $closetime seconds"
fi
exit
elif [[ $load >$check ]] && [[ $status -eq 1 ]] && [[ $newtime -gt $keeptime ]]
then
echo -e "\n$mode load is higher than $check, and the shield has been enabled for more than $newtime seconds. The shield is invalid. Please contact the administrator to customize other solutions"
exit
elif [[ $load >$check ]] && [[ $status -eq 1 ]]
then
echo -e "\n$mode load is higher than $check, and the shield is currently enabled ($newtime seconds). Please observe further"
exit
elif [[ $load >$check ]]
then
echo -e "\n$mode load is higher than $check, enabling defense rules"
cResult=$(
curl -X PUT \
-H "X-Auth-Email: $email" \
-H "X-Auth-Key: $globalapi" \
-H "Content-Type: application/json" \
-d '{
"id": "$rulesid1",
"paused": false,
"description": "All CAPTCHA",
"action": "challenge",
"priority": 1000,
"filter": {
"id": "'$rulesid2'"
}
}' "https://api.cloudflare.com/client/v4/zones/$zoneid/firewall/rules/$rulesid1"
)
echo $cResult
size=${#cResult}
if [[ $size -gt 10 ]]
then
echo 1 > /home/status.txt
echo -e "\nShield enabled successfully"
fi
else
echo 0 > /home/status.txt
fi
Before using the script, you need to create a CloudFlare firewall rule like this:
Then, fill in the variables in the script step by step:
-
The email variable in the first line should be filled with the login email of your CloudFlare account.
-
The globalapi variable in the second line should be filled with the key shown in the following image. To access this page, click on the avatar in the upper right corner, then click on "my profile", and finally click on the "api tokens" menu.
- The rulesid1 and rulesid2 variables need to be obtained from the CloudFlare firewall rules page, as shown in the following steps:
Open the browser console, then enable or disable the rule. In the network tab of the console, find the request shown in the image below. The first key should be filled in the rulesid1 variable, and the second key should be filled in the rulesid2 variable.
- The zoneid variable can be found on your domain overview page, as shown in the image below:
At this point, the configuration is almost complete. The default setting is to enable CAPTCHA if the CPU usage exceeds 85% continuously within 5 seconds, and then disable the shield after 240 seconds when the usage decreases.
After configuring, you need to set up a cron job to execute the script. If you are using a control panel like Baota, you should know how to do it. Just set it to run every minute.
Effect:
Reprinted from: CangShui's Blog » Automatically Enable CAPTCHA in CloudFlare