Hỏi cách chặn search trên cloudflare và .htaccess

Mình bị search khá lớn vào website, đã set WAF và Rate limiting rules
c=\d+&l=\d+&sc=\d+

Trong .htaccess
RewriteCond %{QUERY_STRING} ^c=\d+&l=\d+&sc=\d+$
RewriteRule ^search$ - [F]

Trong .htaccess có set thêm cái này
(chỉ cho phép cloudflare truy cập vào bằng ip)

Code:

<FilesMatch "\.(php|html)$">
    Order deny,allow
    Deny from all
    Allow from 173.245.48.0/20
    Allow from 103.21.244.0/22
    Allow from 103.22.200.0/22
    Allow from 103.31.4.0/22
    Allow from 141.101.64.0/18
    Allow from 108.162.192.0/18
    Allow from 190.93.240.0/20
    Allow from 188.114.96.0/20
    Allow from 197.234.240.0/22
    Allow from 198.41.128.0/17
    Allow from 162.158.0.0/15
    Allow from 104.16.0.0/13
    Allow from 104.24.0.0/14
    Allow from 172.64.0.0/13
    Allow from 131.0.72.0/22
    Allow from 2400:cb00::/32
    Allow from 2606:4700::/32
    Allow from 2803:f800::/32
    Allow from 2405:b500::/32
    Allow from 2405:8100::/32
    Allow from 2a06:98c0::/29
    Allow from 2c0f:f248::/32
</FilesMatch>

Nhưng nhìn apache log vẫn bị search

Nhờ anh em chỉ dùm

Code:

172.70.38.240 - - [22/Jan/2024:01:24:22 -0600] "GET /search?c=62&l=17599&sc=66 HTTP/1.1" 503 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.68.150.80 - - [22/Jan/2024:01:25:12 -0600] "GET /api/posts?countryCode=TZ&languageCode=en&c=9&l=48154&sc=11&op=search HTTP/1.1" 200 85197 "-" "GuzzleHttp/7"
172.71.222.158 - - [22/Jan/2024:01:24:33 -0600] "GET /search?c=9&l=48154&sc=11 HTTP/1.1" 200 13762 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.43.54 - - [22/Jan/2024:01:24:28 -0600] "GET /search?c=1&l=13777&sc=8 HTTP/1.1" 503 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.71.222.88 - - [22/Jan/2024:01:24:37 -0600] "GET /search?c=30&l=3078&sc=36 HTTP/1.1" 503 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.68.150.25 - - [22/Jan/2024:01:25:18 -0600] "GET /api/posts?countryCode=PS&languageCode=en&c=97&l=41223&sc=102&op=search HTTP/1.1" 200 84115 "-" "GuzzleHttp/7"
172.71.223.17 - - [22/Jan/2024:01:24:52 -0600] "GET /search?c=54&l=47530&sc=58 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.71.222.173 - - [22/Jan/2024:01:25:05 -0600] "GET /search?c=97&l=41223&sc=102 HTTP/1.1" 200 20436 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.38.250 - - [22/Jan/2024:01:24:42 -0600] "GET /search?c=30&l=3078&sc=34 HTTP/1.1" 503 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.135.215 - - [22/Jan/2024:01:24:30 -0600] "GET /search?c=9&l=48154&sc=10 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.42.151 - - [22/Jan/2024:01:24:43 -0600] "GET /search?c=30&l=3078&sc=35 HTTP/1.1" 503 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.174.189 - - [22/Jan/2024:01:24:34 -0600] "GET /search?c=9&l=48154&sc=12 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.71.222.223 - - [22/Jan/2024:01:25:09 -0600] "GET /search?c=46&l=34712&sc=48 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.42.151 - - [22/Jan/2024:01:24:27 -0600] "GET /search?c=1&l=13784&sc=3 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.174.38 - - [22/Jan/2024:01:24:16 -0600] "GET /search?c=145&l=48904&sc=356 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.39.165 - - [22/Jan/2024:01:24:25 -0600] "GET /search?c=62&l=17599&sc=67 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.174.183 - - [22/Jan/2024:01:24:20 -0600] "GET /search?c=62&l=17599&sc=72 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.134.135 - - [22/Jan/2024:01:24:49 -0600] "GET /search?c=54&l=47530&sc=203 HTTP/1.1" 503 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.70.39.157 - - [22/Jan/2024:01:24:46 -0600] "GET /search?c=54&l=47530&sc=60 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
172.71.222.105 - - [22/Jan/2024:01:25:17 -0600] "GET /search?c=46&l=34712&sc=51 HTTP/1.1" 500 707 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"

 

Mình thấy trong log báo 503 là có chặn rồi mà nhỉ

 

1. HTTP 500 - Internal Server Error:
   
   • Mã lỗi 500 là một mã lỗi chung được máy chủ web trả về khi có một vấn đề xảy ra mà máy chủ không thể xử lý được. Điều này có thể do lỗi cấu hình, lỗi lập trình, hoặc vấn đề khác liên quan đến máy chủ.
2. HTTP 503 - Service Unavailable:
   
   • Mã lỗi 503 xuất hiện khi máy chủ tạm thời không thể xử lý yêu cầu do một số nguyên nhân như quá tải, bảo trì hệ thống, hoặc sự cố tạm thời khác. Mã này thông báo rằng dịch vụ không khả dụng tạm thời, và yêu cầu có thể thử lại sau một khoảng thời gian.

Mình vừa phát hiện cloudflare không dùng được biểu thức chính quy nên đổi cách khác đã chặn khá khá rồi

 

Cái này trước đây mình cũng từng gặp tương tự, tuy nhiên mình không chặn ở lớp CF hay Nginx do lười tìm hiểu, mình chặn ở code, cũng làm tương tự bạn bóc tách câu query ra rồi chặn, kèm theo đó là mình cho danh sách ip vào blacklist luôn để chặn thêm 1 lớp theo ip, mình dùng thêm Redis để cache list ip đó trong 1 giờ thôi.