Security WAF rules doesnt work for Cloudflare tunnels?

I have created some rules at DOMAIN > Security > Security rules For example:

(http.request.method ne “GET” and not len(http.request.headers[“upgrade”]) > 0 and not len(http.request.headers[“connection”]) > 0 and all(http.request.headers[“upgrade”][] ne “websocket”) and all(http.request.headers[“connection”][] ne “upgrade”))

(http.request.method ne “GET” and not len(http.request.headers[“upgrade”]) > 0 and not len(http.request.headers[“connection”]) > 0 and all(http.request.headers[“upgrade”][] ne “websocket”) and all(http.request.headers[“connection”][] ne “upgrade”))

https://i.imgur.com/LxiRh4a.png Im testing a connection to my tunnel but the rules doesnt seen to work, for example i did a POST request and it didnt got blocked the rule was suppose to block any request thats not a GET So, these rules doesnt apply to Cloudflare tunnel?

Imgur

1 Reply

ruanOP•2w ago

why but why ors, im trying to understand whats wrong so do you mean these rules also work for tunnels?

(http.request.method ne "GET" or not len(http.request.headers["upgrade"]) > 0 or not len(http.request.headers["connection"]) > 0 or all(http.request.headers["upgrade"][*] ne "websocket") or all(http.request.headers["connection"][*] ne "upgrade"))

(http.request.method ne "GET" or not len(http.request.headers["upgrade"]) > 0 or not len(http.request.headers["connection"]) > 0 or all(http.request.headers["upgrade"][*] ne "websocket") or all(http.request.headers["connection"][*] ne "upgrade"))

thankyou !! do i need to restart the tunnel after modifying or setting a rule? im using the tunnel to expose a websocket server, im not expecting any other connection than the handshake to connect to the socket also, no more than 1 connection per ip do you suggest any other rule i could add?

Gaming

Programming

Security WAF rules doesnt work for Cloudflare tunnels?

Did you find this page helpful?