Cloudflare Rules New Features Experience

05/10/2022 /

Original link: https://mabbs.github.io/2022/10/05/rules.html

Cloudflare is really conscientious and has saved countless costs for the majority of webmasters! ♥

cause

When I logged in to Cloudflare before and looked at the rules, I found some new functions. Now it seems that some conversion rules have been added, such as dynamic redirection. After seeing it, it seemed interesting, so I tried it out. After using it for a while, I found that it is really good, the function is very powerful, and it is free. So this time I want to talk about a few new functional experiences of Cloudflare rules.

Use experience

For a better description, I will directly illustrate it with an example.

The secondary domain name redirects to the user page

Telegram has a new function before, which can directly use the second-level domain name as your own Telegram business card. For example, my username is unmayx, and it is https://unmayx.t.me/ on Telegram. This feature looks quite interesting, so I want to give my website a whole. In fact, if you say that your website does not have a second-level domain name, you can make it directly with page rules. This function can be achieved thanks to Cloudflare’s willingness to let free users use the proxy of pan-analytics, which is really conscientious ?. First, add a general analysis to the analysis, A or CNAME can be used, and the target can also be filled in casually. Then add a URL such as *.example.com/* to the page rule, just write your own specific domain name, and then set it as a forwarding URL, either with a status code of 301 or 302, and fill in the target URL similar to https://example.com/username-$1.html , the specific rules are based on your own website, you can fill in the rules like Telegram https://t.me/$1 (Of course, it is impossible for Telegram to use Cloudflare’s CDN ?) .

However, there is a problem with this setting. Most websites will not have only first-level domain names. If there are second-level domain names and Cloudflare CDN is also used, it will conflict with rules and lead to preferential matching rules. Where Cloudflare’s original page rules are more stretched is that there is nothing else to do except match URLs, like I can’t do it if I don’t match something. Fortunately, the new dynamic redirection has such a function, it can match a series of things, for example, if I want to match a certain address, for example, I can write not starts_with(http.host, "www.") it starts with www, anyway Cloudflare’s certificate cannot be used for domain names above the third level, so there is no problem with matching. In addition, you have to add yourself, so it is enough to write (not starts_with(http.host, "www.") and http.host ne "example.com") , and then write the dynamic redirection to where. I looked through the documentation for a long time and found that unless regular expressions are used, there is no way to take out the things in front of the “.” in http.host alone, but the regular function is not free ?.

But I didn’t have this problem when I used page rules before. Why is there such a problem with this new function… But since page rules support this function, we can combine the two, first use dynamic redirection to receive, and then send Just deal with the page rules, so we can write the dynamic redirect expression just now as an address that does not conflict with the existing website, such as concat("https://example.com/user/", http.host, "/") , at this time it will redirect to a certain location of the first-level domain name, and then use the page rule to receive it, the URL is set to example.com/user/*.example.com/ , and then the target URL is set Just https://example.com/username-$1.html .

Pixiv image reverse generation

I have also used Pixiv’s image reverse generation before. I learned it from the Pixiv image proxy tutorial. I used Cloudflare Workers, but I probably looked at the code. In fact, our main purpose is to let the server receive the available Referer. Well, it just so happens that this new conversion rule is quite good. It can rewrite the URL, request header and response header. So what we need this time is to change the request header of the request to the Pixiv image server, then we will give ourselves first. Add a CNAME resolution pointing to i.pximg.net to the domain name, like mine is https://pixiv.mayx.eu.org , and then add a conversion rule to modify the request header, the content is written as (http.host eq "pixiv.mayx.eu.org") , just set the Referer to https://www.pixiv.net/ (actually, it seems that you only need to include the word pixiv).

In order to make it more useful, I remembered the WeChat robot I wrote before. This time I thought the whole thing could be used directly on the web interface, so the Viewer was born, and it used my new settings. Compared with the original Workers inverse generation, there is not only no limit on the number of requests, but also page rules can be set to set a longer cache to achieve faster speed.

Iwara download address resolution and DNS resolution

Looking at this rule, I remembered the Iwara Viewer I wrote in high school, because I couldn’t directly use the Web to call Iwara’s API across domains, and it was mainly to get the download address for the server at that time. Now that I can use the conversion rules to change the response header, then I can add an Access-Control-Allow-Origin: * accordingly, then I can also use the front end to directly call Iwara’s API, so I simply I wrote an Iwara Downloader , because I am not particularly familiar with JavaScript, and Iwara’s directory always has problems, so I am too lazy to write a Viewer. Now just paste the address of Iwara into the input box, such as OBSERVATION DIARY , you can get the download address of this video. But this thing is really a bit tasteless ?, after all, Iwara is not not giving you the download address.

In fact, I also have an idea of ​​writing this to be an accelerator for downloading in China, but the anti-leech link is really uncomfortable. Its Hash currently seems to be composed of four files: file name, Host, expiration time and visitor IP. The value is calculated (I don’t know if there are more), if I modify any of these four, I will get 403, but Iwara’s domain name is polluted by DNS again, let’s solve this problem first, Cloudflare It can proxy other websites that do not check the host except itself. I thought about it that I can reverse the DoH of Google DNS, so that I can get the real IP of the download address (by the way, dns.mayx.eu.org is equivalent to me of DoH). However, it is useless to get it. If you change the hosts, you will find that there is an SNI RST. If you use IP to access the anti-leech link directly, you will check the Host field. I also thought about how to reverse the downloaded address. However, because the host will be checked, the conversion rule cannot change the host, so there is no way, just write something like this.

impression

Cloudflare is really conscientious. Even other paid CDNs may not have so many functions, and they are also resistant to fighting. However, there are still many restrictions. It would be great if you can configure it as Nginx does, but it is impossible to think about it. It is estimated that it will be abused on a large scale.

This article is reprinted from: https://mabbs.github.io/2022/10/05/rules.html
This site is for inclusion only, and the copyright belongs to the original author.