Update Cloudflare WAF blacklist IPs daily
You can configure a workflow definition to start automatically. To specify the time and dates a workflow runs, you define a cron expression.
This tutorial shows how to create a workflow definition that starts automatically. This workflow definition will use HTTP task to fetch the list of bad IP addresses, convert them to the required JSON object format required by Cloudflare, and use Cloudflare API to update all list items.
- Prerequisites
- Step 1: Create Cloudflare API token
- Step 2: Create Cloudflare custom list
- Step 3: Create Cloudflare Web Application Firewall (WAF) rule
- Step 4: Find the Cloudflare Account ID
- Step 5: Create Bearer token credentials
- Step 6: Create SimWorkflow workflow definition
- Step 7: Define workflow definition variables
- Step 8: Run the workflow definition
- Step 9: Define the schedule with cron expression
- Summary
Prerequisites
To perform the steps in this tutorial, you must already have the following:
- An account with Cloudflare.
- A SimWorkflow account that you can log in to workflow definitions.
Step 1: Create Cloudflare API token
-
Login to Cloudflare dashboard.
-
Go to My Profile > API Tokens.
-
Click Create Token button.
-
Click Get started button under Custom token section.
-
Enter Cloudflare list update to the Token name field.
-
Enter the following permissions for the token:
Account
Account Filter Lists
Edit
Account
Account Filter Lists
Read
-
For Account Resources, select the account for the Include field.
-
Click Continue to summary button.
-
Click Create Token button.
-
Copy the Cloudflare API token.
Step 2: Create Cloudflare custom list
- On Cloudflare dashboard and select the account.
- Go to Manage Account > Configurations.
- Navigate to Lists and click Create list button.
- Enter spammers to the Identifier field.
- Select IP for Type field.
- Click Create button.
We will create a SimWorkflow workflow definition to update this custom list daily with the blacklist IPs.
Step 3: Create Cloudflare Web Application Firewall (WAF) rule
-
On Cloudflare dashboard, select the account and domain.
-
Go to Security > WAF.
-
Click Create rule button.
-
Enter Spammers top 10,000 to the Rule name field.
-
Click Edit expression link and enter the following expression:
(ip.src in $spammers)
-
Select Block for Then take action… field.
-
Click Deploy button.
This rule will block the IP source address of the request in the $spammers
custom list.
Step 4: Find the Cloudflare Account ID
- On Cloudflare dashboard, select the account and domain.
- On the Overview page (the landing page for your domain), find the API section.
- Copy the Account ID, select Click to copy.
Step 5: Create Bearer token credentials
-
Log in to the SimWorkflow.
-
Navigate to Credentials.
-
Click Create credentials button.
-
Select Bearer token tab.
-
Enter Cloudflare to the Name field.
-
Paste the Cloudflare API token to the Bearer token field.
-
Click Create credentials button.
We'll use this credentials in the workflow definition when we integrate with Cloudflare to update the custom list.
Step 6: Create SimWorkflow workflow definition
Step 6.1: Plan the workflow definition
There are three key steps in the process:
- Fetch the list of bad IP addresses. For this tutorial, we'll use the list from IPsum, as it updates daily.
- We'll use the level 4 file.
- Prepare the JSON array from the list of bad IPs.
- Integrate with Cloudflare API to update the list of bad IPs.
For this, we will define three respective tasks in the workflow definition:
Sequence |
Task type |
Task name |
---|---|---|
1. |
Retrieve IPs |
|
2. |
Prepare IPs |
|
3. |
Update Cloudflare |
Step 6.2: Design the workflow definition
-
Log in to the SimWorkflow.
-
Navigate to Workflow definitions.
-
Click Create workflow definition button.
-
Select General tab of the workflow definition.
-
Enter Update Cloudflare custom list to the Name field.
-
Click HTTP Task to add a system task and name it Retrieve IPs.
-
Connect the Start task to the Retrieve IPs task.
-
Click Retrieve IPs task and select Configuration tab.
-
Enter the following JSON object to the HTTP request field:
{ "url": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt", "method": "GET" }
The system will make an HTTP GET request to the IPsum level 4 bad IPs file.
-
Click JQ Task to add a system task and name it Prepare IPs.
-
Connect the Retrieve IPs task to the Prepare IPs task.
-
Click Prepare IPs task and select Input Parameters tab.
-
Enter the following JSON object to the Input parameters field:
{ "input": "${['Retrieve IPs'].output.body}" }
The system will reference the "body" field from the output of the Retrieve IPs task to the "input" field.
-
Click Prepare IPs task and select JQ Filter tab.
-
Enter the following JQ filter expression to the Expressions field:
[.input | split("\n") | .[] | select(. != "") | {ip:.}] | .[:10000]
The system will convert each non-empty line of the bad IPs level 4 text file to a JSON object with the "ip" field contains the bad IP address.
The output of the Prepare IPs task will be the JSON object with the "result" field contains the first element of the result list and "resultList" field contains all the elements.
-
Click HTTP Task to add a system task and name it Update Cloudflare.
-
Connect the Prepare IP List task to the Update Cloudflare task.
-
Click Update Cloudflare task and select Input Parameters tab.
-
Enter the following JSON object to the Input parameters field:
{ "ipList": "${['Prepare IPs'].output.result}", "cloudflareAccountId": "${['swf:variables'].cloudflareAccountId}", "cloudflareListId": "${['swf:variables'].cloudflareListId}" }
The system will reference the "result" field from the output of the Prepare IPs task to the "ipList" field.
Set the "cloudflareAccountId" and "cloudflareListId" fields with values from workflow definition variables.
-
Click Update Cloudflare task and select Configuration tab.
-
Select Cloudflare (Bearer Token) for the Credentials field.
-
Enter the following JSON object to the HTTP request field:
{ "url": "https://api.cloudflare.com/client/v4/accounts/${cloudflareAccountId}/rules/lists/${cloudflareListId}/items", "body": "${ipList}", "method": "PUT", "headers": { "Accept": "application/json", "Content-Type": "application/json" } }
The system will make an HTTP PUT request to Cloudflare API with the values from the input parameters.
-
Click Save button.
-
Toggle the Enable checkbox to enable the workflow definition.
Step 7: Define workflow definition variables
-
Log in to the SimWorkflow.
-
Navigate to Workflow definitions.
-
Click Variables menu item from the three dots (more options) menu of the Update Cloudflare custom list workflow definition.
Step 7.1: Cloudflare account ID
-
Enter cloudflareAccountId in the Variable key field.
-
Paste the Cloudflare account ID in the Variable value field.
-
Click Save variable button.
Step 7.2: Cloudflare list ID
-
Enter cloudflareListId in the Variable key field.
-
Locate the Cloudflare list ID and enter it in the Variable value field.
-
Click Save variable button.
Step 8: Run the workflow definition
- Navigate to Workflow definitions.
- Click Run menu item from the three dots (more options) menu of the Update Cloudflare custom list workflow definition.
- The system will execute the workflow and the workflow Completed.
Step 9: Define the schedule with cron expression
- Log in to the SimWorkflow.
- Navigate to Workflow definitions.
- Click Schedule trigger menu item from the three dots (more options) menu of the Update Cloudflare custom list workflow definition.
- Turn on Schedule trigger on field.
- Select a user for User to start the workflow as field.
- Enter @daily to the Schedule cron expression field.
- Click Save schedule trigger button.
Summary
You've now successfully completed all the steps necessary to define a workflow definition to integrate with Cloudflare API. You've learned how to schedule the workflow definition to start automatically using cron expression. As a result, you have a process that runs daily to fetch a list of bad IP addresses and update Cloudflare with the updated list.