Using WAF to block Traffic

Hello, We use workers to host our site. Over the past few weeks we noticed some major attacks on our API. We thought it was on the API direct, but turns out after watching the Stream Logs, that we have some people able to bypass Cloudflare protections on the website using crawling tools. We use a subdomain company.workers.dev. However, I this links to our CNAME for our company.com website. I am inside our company.com website WAF settings and attempting to block a few subset of IPs from our workers.dev account page.
How or why is the block not occuring? What light switch am I missing?
10 Replies
Cyb3r-Jak3
Cyb3r-Jak32mo ago
You can’t control WAF on the workers.dev domain. You should look into using the routes config to have a custom domain instead of a CNAME
KB
KBOP2mo ago
So are you saying like we should have something like hello.company.com which is our base site and then pick up hello.company.com inside our cloudflare domain for that specific domain, then apply WAF on that?
Cyb3r-Jak3
Cyb3r-Jak32mo ago
Correct. You will also want to make sure you disable the workers.dev route in your wrangler config file as well
KB
KBOP2mo ago
I am confused. Maybe you can clarify if I am right or wrong. A) My domain is created on Cloudflare at company.com. B) I have Pages/Workers (both) setup on the main account page. C) Inside of the pages (Which I realize I am in workers, but I have both) i have a custom domain set up to company.com and beta.company.com. D) Inside the domain itself, I have a CNAME created to main www/root to project.pages.dev. (Using ChatGPT here) but I think this is everything that is needed?
Cyb3r-Jak3
Cyb3r-Jak32mo ago
It seems like it. The only thing that it seems like you would need to do is disable the workers dev route
KB
KBOP2mo ago
Yes, I just checked and the dev has this file empty. What is the technical reason though for this though? with this (I assume default is true) this turns of WAF for the pages.dev domain and thus there is no security but the base Cloudflare security, or if you apply buisness package, then you can apply WAF at the account level?
Cyb3r-Jak3
Cyb3r-Jak32mo ago
It doesn’t turn off WAF. You can’t control the WAF for workers or pages dev domains so you disable people’s ability to use those domains and force them domains which you can apply WAF to
KB
KBOP2mo ago
Weird. But I cannot get WAF to apply even when I have the domain setup. Both domains are listed here. I even tried blocking all traffic as well.
No description
No description
No description
No description
Cyb3r-Jak3
Cyb3r-Jak32mo ago
The record needs to be proxied ( :cloudflare: ) for WAF to be able to take effect
KB
KBOP2mo ago
Works. Excellent!
Want results from more Discord servers?
Add your server