Enable cloudflare WAF for api subdomain
Can i enable WAF (0range cloud in dns record) for my subdomain api.domain.com ?
I'd love to have my API protected with cloudflare ddos protection, and WAF and other bot detection.
Do i need to have a certain plan to do it? pro? business? Entreprise ?
6 Replies
If you're fine with using Cloudflare's DNS for your entire domain, you can only orange cloud/enable proxy for your api subdomain, and leave your other subdomains unproxied/gray cloud (not going through CF, etc)
If you don't want to switch your domain over to Cloudflare DNS/Nameservers (https://developers.cloudflare.com/dns/zone-setups/full-setup/), then you need Business for CNAME Setup (https://developers.cloudflare.com/dns/zone-setups/partial-setup/), and Enterprise for Nameserver domain setup/delegating just a subdomain to CF (https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/)
I'm already using Cloudflare DNS for my domain name. Why would i want to unproxied my other subdomain though? Isn't more protection better. My intent is when people hit any of my domains/subdomain, they go first through Cloudflare network. What i'm confused though is Cloudflare say it's only for html and my api.domain.com return json. So i'm not sure if it's allow with their 2.8 close. I don't mind paying, it's just unclear to me if i can do it or not
More protection is better yea, I was under the impression you just wanted to proxy/enable waf on your api alone, so I wanted to clarify if that was your goal, it is possible to just enable proxy on that without effecting anything else.
2.8 was reworked/changed a bit: https://blog.cloudflare.com/updated-tos/
Cloudflare’s content delivery network (the “CDN”) Service can be used to cache and serve web pages and websites. Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.I am not a lawyer, nor a cloudflare employee, but the rule is more targetted at sites consuming a ton of bandwidth, and more at video/large files, etc. Cloudflare will reach out to you first and work with you, they won't flat out terminate you or anything like that
The Cloudflare Blog
Goodbye, section 2.8 and hello to Cloudflare’s new terms of service
We’re excited to announce new updates that will modernize our terms of service and hopefully cut down on customer confusion and frustration.
Okay. So if i proxy my api.domain.com and a user do a request to let's say [GET] api.domain.com/post/asjdh1239, cloudflare will just forward this request to whatever server there is in my DNS record for api. Am i right ?
Cloudflare will run it through its request flow first. Checking Firewall rules, if you have waf rulesets enabled, redirect rules, page rules, cache, etc. If none of those return a response by themselves, Cloudflare will make a new request to your origin with the same request characteristics. TLDR: Yes*
okay perfect.
All my user requests will be authenticated with JWT and will have to go to my origin servers.