Block traffic of a specific pattern

Website, Application, Performance Security
1

What is the name of the domain?

www.example.com

What is the issue you’re encountering

making waf rule based on querystring

What steps have you taken to resolve the issue?

i’ve added this rule:
(
(
http.request.uri.path eq “/da-dk/avis”
or
http.request.uri.path eq “/sv-se/avis”
)
and
not starts_with(http.request.uri.query, “url=https://avis.example.com/”)
)

why is this request blocked?

{
“action”: “block”,
“clientASNDescription”: “GLOBALCONNECT-AS31027”,
“clientAsn”: “31027”,
“clientCountryName”: “DK”,
“clientIP”: “83.136.93.134”,
“clientRequestHTTPHost”: “www.example.com”,
“clientRequestHTTPMethodName”: “GET”,
“clientRequestHTTPProtocol”: “HTTP/3”,
“clientRequestPath”: “/da-dk/avis”,
“clientRequestQuery”: “?url=https%3A%2F%2Favis.example.com%2Fkuponti”,
“datetime”: “2024-11-27T12:17:02Z”,
“ref”: “”,
“rayName”: “8e920d86fa1a10c1”,
“ruleId”: “85f518e0d463458a8493ef110a5499a0”,
“rulesetId”: “00581c60462c4f21baf02338466f6c1a”,
“source”: “firewallCustom”,
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36”,
“wafAttackScoreClass”: “clean”,
“matchIndex”: 0,
“metadata”: [
{
“key”: “ruleset_version”,
“value”: “34”
},
{
“key”: “version”,
“value”: “14”
},
{
“key”: “type”,
“value”: “customer”
},
{
“key”: “js_detection”,
“value”: “PASSED”
}
],
“sampleInterval”: 1
}

Was the site working with SSL prior to adding it to Cloudflare?

No

What is the current SSL/TLS setting?

Full

2

Is 85f518e0d463458a8493ef110a5499a0 the ID of the rule you have shown? Do you have any other rules that this request may trigger?

Use “Full (strict)” so Cloudflare validates your origin SSL certificate.

3

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.