WAF CDN Stacking
I'm stacking CDNs to evaluate and compare WAF settings. If I put CDN in front of Cloudflare and pass True-Client-IP to cloudfare, can Cloudflare evaluate WAF rules/Rate Controls, etc based on True-Client-IP set at the first CDN since the Connecting-IP will always be the CDN that stacked in front.
4 Replies
Afaik no
Does cloudflares WAF engine use connecting IP in any of the rules?? I would imagine bot protections use IP to a degree and obviously rate controls - do you know if rate controls can use true-client-ip? I am thinking of only enabling WAF rule engine and not rate or bot controls.
I don’t think so, I think CF is meant to be the fronting CDN, not behind another CDN
For rate limiting Enterprise w/ adv. rate limiting can count by a header instead of IP: https://developers.cloudflare.com/waf/rate-limiting-rules/
Or you could use the Worker binding for rate limiting (With its kind of harsh restrictions) and have your key be the header or whatever but the worker would always be invocated