In my CloudFlare account I have
I’ve restricted access for
dev.example.com using some special cookie. If that cookie isn’t present, then it will block the request.
(http.host eq "dev.example.com" and http.cookie contains "is-dev=my-secret-cookie"), action: Allow
(http.host eq "dev.example.com"), action: Block
So if they have the cookie, they will be allowed to access the Development Website, if they don’t then they’ll see Error 1020. This is expected, but now the problem is, LetsEncrypt doesn’t have the cookie, and when they go request the ACME Challenge, it gets blocked.
What should I do to let Lets Encrypt access the folder so it can verify the domain?
I can’t add this to rule
or (http.request.full_uri contains "dev.example.com/.well-known/acme-challenge/") because then if I go to
dev.example.com/my-secret-page/?dev.example.com/.well-known/acme-challenge/ it contains the string, so it will allow it. Is there anything I can do to check with like regex? I think something like this
^https?:\/\/dev\.example\.com\/\.well-known\/acme-challenge\/ could work, but I’m not sure I’m able to do that with CloudFlare Firewall.
What should I do about this?