Using WAF to block Traffic
Hello,
We use workers to host our site. Over the past few weeks we noticed some major attacks on our API. We thought it was on the API direct, but turns out after watching the Stream Logs, that we have some people able to bypass Cloudflare protections on the website using crawling tools. We use a subdomain company.workers.dev. However, I this links to our CNAME for our company.com website. I am inside our company.com website WAF settings and attempting to block a few subset of IPs from our workers.dev account page.
How or why is the block not occuring? What light switch am I missing?
How or why is the block not occuring? What light switch am I missing?
10 Replies
You can’t control WAF on the workers.dev domain. You should look into using the routes config to have a custom domain instead of a CNAME
So are you saying like we should have something like hello.company.com which is our base site and then pick up hello.company.com inside our cloudflare domain for that specific domain, then apply WAF on that?
Correct. You will also want to make sure you disable the workers.dev route in your wrangler config file as well
I am confused. Maybe you can clarify if I am right or wrong.
A) My domain is created on Cloudflare at company.com.
B) I have Pages/Workers (both) setup on the main account page.
C) Inside of the pages (Which I realize I am in workers, but I have both) i have a custom domain set up to company.com and beta.company.com.
D) Inside the domain itself, I have a CNAME created to main www/root to project.pages.dev.
(Using ChatGPT here) but I think this is everything that is needed?
It seems like it. The only thing that it seems like you would need to do is disable the workers dev route
Yes, I just checked and the dev has this file empty.
What is the technical reason though for this though? with this (I assume default is true) this turns of WAF for the pages.dev domain and thus there is no security but the base Cloudflare security, or if you apply buisness package, then you can apply WAF at the account level?
It doesn’t turn off WAF. You can’t control the WAF for workers or pages dev domains so you disable people’s ability to use those domains and force them domains which you can apply WAF to
Weird. But I cannot get WAF to apply even when I have the domain setup.
Both domains are listed here. I even tried blocking all traffic as well.
The record needs to be proxied ( :cloudflare: ) for WAF to be able to take effect
Works. Excellent!