====== Cloudflare + WordPress REST API + n8n integracija ======

===== 🎯 Namen dokumenta =====

Ta dokument opisuje:

  * kako varno omogočiti **WordPress REST API** za n8n
  * kako **blokirati javni REST API dostop**
  * kako uporabiti **Cloudflare WAF + IP allowlist**
  * kako se izogniti **Cloudflare Access / Zero Trust**
  * preverjeno delujočo konfiguracijo iz produkcije

-----

===== Velja za =====

  * **WordPress**
  * **n8n**
  * **Cloudflare (Free plan zadostuje)**
  * REST API integracije brez browserja
  * machine-to-machine dostop

-----

===== 🧠 Povzetek problema (TL;DR) =====

Če uporabljaš:

  * Cloudflare
  * WordPress REST API
  * n8n ali drugo avtomatizacijo

potem Cloudflare privzeto:

  * blokira REST API z **JS Challenge**
  * sproža **Bot Fight Mode**
  * vrača **403 Forbidden**
  * zahteva **Access token**, ki za REST API NI primeren

⚠️ **REST API ni browser** in ne zna reševati Cloudflare izzivov.

Rešitev je:

  * IP allowlist
  * Cloudflare Custom Rules (Allow + Block)
  * WordPress Application Password
  * Basic Auth
  * brez Zero Trust

-----

===== Končna arhitektura =====

n8n (statičen IP)
  -> Cloudflare WAF (Custom Rules)
  -> WordPress REST API (/wp-json/)

-----

===== 1️⃣ WordPress – Application Password =====

V WordPress Admin panelu:

  - Users
  - izberi uporabnika (npr. automation_n8n)
  - Application Passwords
  - Create new password

Shrani:

  * WordPress username
  * Application Password

Opomba:

  * uporablja se **Basic Auth**
  * ne JWT
  * ne OAuth

-----

===== 2️⃣ n8n – preveri izhodni IP =====

V n8n ustvari HTTP Request node:

<code>
Method: GET
URL: https://api.ipify.org?format=json
Authentication: None
</code>

Rezultat:

<code>
{
  "ip": "49.12.184.65"
}
</code>

Ta IP bo uporabljen v Cloudflare pravilih.

-----

===== 3️⃣ Cloudflare – Global Security Level =====

Cloudflare Dashboard:

  * Security
  * Settings

Nastavi:

<code>
Security Level = Low
</code>

Razlog:

  * Medium / High sprožata JS Challenge
  * REST API tega ne zna obdelati

-----

===== 4️⃣ Cloudflare – Custom Rule (ALLOW + SKIP) =====

Cloudflare:

  * Security
  * Security rules
  * Custom rules
  * Create rule

Ime pravila:

<code>
Allow WordPress REST API
</code>

Expression:

<code>
starts_with(http.request.uri.path, "/wp-json/")
and (ip.src eq 49.12.184.65 or ip.src eq 86.61.31.249)
</code>

Action:

<code>
Skip
</code>

WAF components to skip:

  * All managed rules
  * All rate limiting rules
  * Super Bot Fight Mode rules

Rule order:

<code>
First
</code>

To pravilo:

  * dovoli REST API
  * izključi vse Cloudflare zaščite za dovoljene IP-je

-----

===== 5️⃣ Cloudflare – Custom Rule (BLOCK public REST) =====

Ustvari drugo pravilo.

Ime:

<code>
Block public WordPress REST
</code>

Expression:

<code>
starts_with(http.request.uri.path, "/wp-json/")
and not (ip.src eq 49.12.184.65 or ip.src eq 86.61.31.249)
</code>

Action:

<code>
Block
</code>

Rule order:

  * After: Allow WordPress REST API

To pravilo:

  * blokira javni REST API
  * prepreči brute-force in scan napade

-----

===== 6️⃣ Cloudflare – Zero Trust / Access =====

Cloudflare:

  * Zero Trust
  * Access
  * Applications

Stanje:

<code>
NO APPLICATIONS
</code>

Ne uporabljamo:

  * Access Applications
  * Service Tokens
  * Access Policies
  * Identity Providers

Razlog:

  * REST API = machine-to-machine
  * IP allowlist + Basic Auth je stabilnejši

-----

===== 7️⃣ Testiranje v browserju =====

Iz dovoljenega IP-ja:

<code>
https://example.com/wp-json/
</code>

Pričakovano:

  * JSON z WordPress podatki

Iz nedovoljenega IP-ja:

  * Cloudflare block page
  * "Sorry, you have been blocked"

-----

===== 8️⃣ Testiranje v n8n =====

HTTP Request node:

<code>
Method: GET
URL: https://example.com/wp-json/wp/v2/users/me
Authentication: Basic Auth
Username: WP user
Password: Application Password
</code>

Pričakovano:

  * HTTP 200
  * JSON odgovor
  * brez Cloudflare challenge

-----

===== 🔐 Varnostna politika =====

^ Element ^ Status ^
| REST API javno dostopen | ❌ |
| IP allowlist | ✅ |
| Basic Auth | ✅ |
| WAF bypass samo za n8n | ✅ |
| Cloudflare Zero Trust | ❌ |

-----

===== ⚠️ Pogoste napake =====

  * Security Level = High
  * uporaba Cloudflare Access za REST API
  * manjkajoč "Skip"
  * napačen vrstni red pravil
  * JS / Managed Challenge na /wp-json/
  * testiranje iz napačnega IP-ja

-----

===== ✅ Status =====

  * Produkcijsko preverjeno: **DA**
  * Stabilno: **DA**
  * Primerno za wiki dokumentacijo: **DA**

-----

===== 🧩 Opomba =====

Če se IP n8n spremeni:

  * posodobi Cloudflare Custom Rules
  * ni potrebe po spremembi WordPress konfiguracije