Blocking a page with and without the /

i have a rule to block /page1 http.request.uri.path eq “/page1”
now example.com/page1 is blocked but i noticed that if i add / in the browser to make it example.com/page1/ the page will be accessed.
i cant use contain because i dont want to block sub urls.

I tried http.request.uri.path eq “/page1/” and got the opposite result.

how can i achieve blocking /page1 and /page1/

Looks like there is no solution other than writing the 2 possibilities or use contains.
So, in case of using contains (http.request.uri contains “/apply”) will this block
example.com/apply and example.com/apply/x/x
or any path that contains /apply like
example.com/x/apply/x

Why don’t you block both paths with OR setting?

can be but it is a long list especially when protecting Wordpress.

do you know the answer for my second question, in the case of using contain ?

That’s the same thing as “starts with”. There’s no magic way it’s going to match with or without a slash. Unless you’re on a Biz/Ent plan with access to Matches RegEx, you’re going to have to make that big list.

I know contains will match both cases but my question regarding contains is the following:

Yes, but you already pointed that out:

You can also easily confirm that with a quick test using a similar rule.

You could use a rule with the length function len(). The use of any function disables the Expression Builder, and you need to edit this rule in the Expression Editor.

(http.request.full_uri contains "example.com/page1" and len(http.request.uri.path) le 7)

It should go without saying that if you have a path like /page10 it will be blocked as well, so you need to check your sitemap, and adjust the rule accordingly.

the client is on free plan.
one last thing, will contains “/page1” apply to
example.com/x/page1/x
or only to
example.com/page1/x

It depends on which field you are applying the operator “contains” to. What I suggested was to use it against http.request.uri_full, in which case it should only match example.com/page1.

The only other possible combination would be if example.com/page1 is part of the query string. If you need that kind of precision you can always exclude that possibility with and not (http.request.uri.query contains "example.com")

Some functions are restricted to paid plans, but that’s not the case with len()

Regardless of http.request.uri_full or http.request.uri or http.request.uri.path. If it’s a “Contains”, it will match no matter where in the path /page1 shows up. /x/page1 will get blocked just as surely as /page1/x will get blocked.

“Starts With” is the better approach if you’re trying to match on the beginning of the path.

Hmm… I think you’re missing the fact that I’m matching against example.com/page1, not against /page1.

Requested URL: https://example.com/page1
URI Full contains example.com/page1? Yes
URI Path contains example.com/page1 ? No.

If it’s an unusual installation where the name of the domain is repeated as part of the path, one could use an exclusion like the one I mentioned for query strings.

Ah, I see. Matching hostname and beginning of path for uri.full. I just read that they were using a “contains” for only /page1. You can use Starts With if you use the Expression Editor:

(starts_with(http.request.uri.path, "/page1"))

1 Like

Thanks. very good idea to use start_with.

do you know why starts_with(http.request.uri, “/page1”) is not a valid expression ?

:point_down:

An alternative to using the len() function as I had suggested would be to use a Redirect Rule coupled with a WAF Custom Rule.

If URI Path equals "/page1"
Redirect to "https://example.com/page1/"

If URI Path equals "/page1/"
Block

In both cases of course you should not use “contains” operator, as you want a perfect match. You can add a Hostname field to select which subdomains these rules would match, if needed.

1 Like

i think simpler to include both case with and without the “/” in the same FW rule. But appreciate your input, I learnt few new techniques that might use in certain cases.
Thanks @cbrandt @sdayman

2 Likes