About the priority of redirect rules and WAF rules

What is the name of the domain?

bfban.com

What is the issue you’re encountering

About the priority of redirect rules and WAF rules

What steps have you taken to resolve the issue?

Set WAF rules to block attacking IP

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

This is about my website, which was attacked. I set up WAF rules but they didn’t work.
Because I also set up redirection and Configuration Rules, but the priority of WAF is not high.

So my question is, is there a way to enable both Configuration Rules or redirection rules and WAF Rules?
Due to incorrect priorities, my WAF rules did not take effect on the subdomains that had Configuration Rules and Redirect Rules set, which made my website unable to defend against attackers.
Do you have any good suggestions or methods that can allow me to take effect on two rules at the same time and follow the WAF priority rule as the highest?

If a rule results in a terminating action, the request is stopped at Cloudflare and doesn’t consume any of your origin resources. Block actions or redirects do this.

Obviously the redirect target itself needs protection.

Any match and action due to a non-terminating rule will continue through the Cloudflare pipeline so the WAF being after Redirect and Configuration rules doesn’t matter, all will get executed unless a terminating action is triggered.

Obviously, WAF rule configuration and redirection rule configuration are not at the same level, and I cannot actively set their order.

I enabled WAF rules for the entire domain, which means that both subdomains and workers will follow this rule, but it is obvious that even though the domain after the redirection rule belongs to my domain and WAF is enabled, the WAF rule is not executed.

What is the URL you are requesting, what do you expect to happen to it based on your rules? Can you show a screenshot of the rules you have entered.

My redirection rules are:
For backend.bfban.com, perform a 301 redirect and carry request parameters
My Configuration Rules are
For backend.bfban.com, select SSL/TLS encryption mode as Full (others are Flexible)

redirection from backend.bfban.com to api.bfban.com use 301 code

That rule isn’t working, instead there is a 302 redirect by your origin to /docs. Can you show a screenshot of the rule?

curl -i https://backend.bfban.com/
HTTP/2 302
date: Wed, 01 Jan 2025 08:16:15 GMT
content-type: text/plain; charset=utf-8
content-length: 27
x-powered-by: Express
access-control-allow-origin: *
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, x-access-token, x-whosdaddy, x-whosdaddy-p
access-control-allow-methods: GET,HEAD,OPTIONS,POST,PUT
access-control-allow-credentials: true
cache-control: no-cache
location: /docs
vary: Accept
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2IAbifDgWG1MlvDUpWU3bW%2FgRizKTQlMK8X8cWtWVsZPnItFq%2Bu1755OJCQrbHURgqXoO7bWTn8pjaYsE6uS8QZ0GTCmOC4%2FWRSVy%2BXfnXWDBWwoZR01C3SODdxxfxm1Yc%2FXaztuZHjqN6Ev6PNHfg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8fb110f11bd9ef0d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=2926&min_rtt=2106&rtt_var=1184&sent=7&recv=10&lost=0&retrans=0&sent_bytes=3403&recv_bytes=778&delivery_rate=1920227&cwnd=255&unsent_bytes=0&cid=e4ce4bcee4da8ad8&ts=341&x=0"

If the rule was working, no further rules for backend would do anything as requests have already been redirected and rules should instead act on api for when the redirected request is made.

Ensure your origin has working SSL and only use “Full (strict)” in all cases otherwise your connections are not secure.

Sorry, because an attacker was attacking this sub-route yesterday. I temporarily deleted the redirection rules.

If you need to test, I will restore my rule settings.

Thanks for your reply, I think I found the cause of the problem (maybe)
When you set redirection and WAF rules for the same subdomain, you may need to set WAF rules first, then set redirection rules. When I tried to modify these rules, deleted and re-filled them, everything seems to be normal now.
The specified blocked IP list is in effect, they will follow the redirection first (maybe not) and then be responsible for the WAF rules.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.