WAF - Create a rule that blocks multiple full URLs unless one specific IP tries to access them.
Hey there!
I started hosting a simple uploading server and I need to block a few URLs on Cloudflare's side.
I put the webserver behind cloudflared and gave it the subdomain "upload". There are multiple paths (/, /paste, /upload and /API) which I need to block unless my IP tries to access them. I have a static IP, this rule won't have to be updated. I want every other path to be accessible by anyone.
I tried:
If incoming requests match.. IP source address - doesn't equal - (my IP) - and - URI full - does equal - https.//upload.dvidpi.ovh/ - or - URI full - does equal - etc... etc.. until I listed out all the paths. - then.. - block
It does work, although only for the root (/) everything else is accessible from a different IP.
Is this possible? Thanks.
18 Replies
When you do "OR" it starts a new logic chain, so you have to add the IP again. You can see here its not linked to the other logic
So you have to do this nightmare of flow
Alright, if that's what will work, I will do it haha
Many thanks!
If the URIs are all on the same hostname i recommend chaining hostname and path because you can use "is in" for path which simplifies a lot
Ah I see, I'll try this one out.
Thanks!
One more thing, how long does it take for WAF rules to propagate? I replicated the setup you sent and it still doesn't seem to work.
A minute or two at its worst
It looks like it doesn't work then. I'll clear my cache and see
I cleared my cache and I can still access the address even through different IPs
Here's how the rule looks like
are there any skip rules above it?
just from looking at that rule it seems to be right
There's only a rule to block xmlrpc.php on my wordpress installation above that one
Also I get blocked by.. something
Yes, try accessing /paste on that URL
It lets you in, right?
no, same error on paste
but if I make up some random path e.g. https://upload.dvidpi.ovh/asdfg then it works
Yes, that should be accessible.
It looks like it's an issue on my side then.
Many thanks again!
One thing I have noticed though is that
/paste blocks but /paste/ works
so maybe should add that tooShould I add both or will /paste/ work for both?
You should add both, theyre treated as separate URIs
Will do! Thanks again.
same for /upload/
No problem
FWIW, it looks like you are trying to use WAF rules to do what Zero Trust Access was designed to do (allowing specific humans to certain areas). It will work, but might be worth looking at Zero Trust Access to make it easier to manage additional users/IP changes in the future (also doesn't use one of your limited number of firewall rules).