====== Cloudflare – dodajanje make.com IP-jev (REST API izjema) ======

===== 🎯 Namen =====

Ta dokument opisuje, kako:

  * dovoliti dostop do WordPress REST API za **make.com**
  * obdržati **Bot Fight Mode vključen**
  * ne odpirati REST API-ja javno
  * uporabljati **IP range**, ne posameznega IP-ja

-----

===== ⚠️ Pomembno o make.com IP-jih =====

Make.com:

  * NE uporablja enega IP-ja
  * uporablja **več IP range-ov**
  * IP-ji se lahko sčasoma spremenijo

Zato:
  * uporabljamo **CIDR zapise**
  * priporočljivo je dodajati **uradne range**

-----

===== 📌 Trenutni uradni make.com IP ranges =====

(vir: Make dokumentacija)

<code>
34.247.183.0/24
34.248.118.0/24
34.249.36.0/24
52.31.132.0/24
52.48.93.0/24
52.49.43.0/24
54.154.208.0/24
63.34.168.0/24
63.35.64.0/24
63.35.96.0/24
63.35.128.0/24
63.35.160.0/24
</code>

💡 **Opomba**: Če želiš maksimalno varnost, dodaj samo tiste range, ki jih dejansko vidiš v Cloudflare logih.

-----

===== 1️⃣ Posodobitev obstoječega “Allow REST API” pravila =====

Cloudflare:

  * Security
  * Security rules
  * Custom rules
  * Edit: **Allow REST API – skip bot protection**

Expression (PRIMER – razširjen):

<code>
starts_with(http.request.uri.path, "/wp-json/")
and (
  ip.src eq 49.12.184.65
  or ip.src eq 86.61.31.249
  or ip.src in {
    34.247.183.0/24
    34.248.118.0/24
    34.249.36.0/24
    52.31.132.0/24
    52.48.93.0/24
    52.49.43.0/24
    54.154.208.0/24
    63.34.168.0/24
    63.35.64.0/24
    63.35.96.0/24
    63.35.128.0/24
    63.35.160.0/24
  }
)
</code>

Then take action:

<code>
Skip
</code>

WAF components to skip:

  * All managed rules
  * All rate limiting rules
  * All Super Bot Fight Mode rules

Rule order:

<code>
First
</code>

-----

===== 2️⃣ Block rule OSTANE NESPREMENJEN =====

Pravilo **Block public REST API** ostane:

<code>
starts_with(http.request.uri.path, "/wp-json/")
and not (
  ip.src eq 49.12.184.65
  or ip.src eq 86.61.31.249
  or ip.src in {
    34.247.183.0/24
    34.248.118.0/24
    34.249.36.0/24
    52.31.132.0/24
    52.48.93.0/24
    52.49.43.0/24
    54.154.208.0/24
    63.34.168.0/24
    63.35.64.0/24
    63.35.96.0/24
    63.35.128.0/24
    63.35.160.0/24
  }
)
</code>

Action:

<code>
Block
</code>

-----

===== 3️⃣ Kako preveriti, da make.com res dela =====

V Cloudflare:

  * Security
  * Analytics
  * Filter:
    * Path contains `/wp-json/`
    * Source IP = eden od make.com IP-jev

Če vidiš:

  * Action: **Skip**
  * brez JS challenge
  * brez Block

➡ make.com deluje pravilno

-----

===== 🔐 Varnostna ocena =====

^ Element ^ Status ^
| Bot Fight Mode | ✅ |
| REST API javno odprt | ❌ |
| n8n allowed | ✅ |
| make.com allowed | ✅ |
| IP allowlist | ✅ |
| JS challenge za API | ❌ |

-----

===== 🧠 Priporočila =====

  * redno preveri Cloudflare logs
  * dodaj nove make IP-je samo po potrebi
  * NE uporabljaj "Allow All Bots"
  * NE izklapljaj Bot Fight Mode globalno

-----

===== ✅ Status =====

  * Preverjeno v produkciji: **DA**
  * Priporočena rešitev: **DA**