Blocking URL with IP Exceptions

Hello, I’m trying to block a simple URL / file names like filename1.asp / filename2.asp from all traffic, with IP exceptions.

  1. Block a url: https://www.
  2. Allow a set list of IP’s only to access this URL and or set of file names.

We have tried this setup already, by setting up a new WAF rule and for some reason, it’s not so simple, as one would expect.

I’m able to block the URL fairly easy, but not seeing how to allow certain IP’s within that same rule. This doesn’t work like other firewall rules from other platforms, so i guess it’s a learning curve, like everything else.

I would think it should be simple and we are just missing the answer to this one. I guess we could just allow list our IP, but that can be hard to track in the way this WAF is setup as it seems to be applied on a global level and that is not really what we want for the entire account of multi-domains.

For now, we just want to be able to lockup a simple URL path like https://www.mydomain. com/thisfolder to all traffic, caching and anything else related, except certain dedicated IP. So it’s impossible to gain access to unless you are using XYZ IP’s.

Thanks and best regards…


Try this in the expression editor: in {"" ""} 
and http.request.uri.path in {"/path-1/" "/path-2/" "/path-2/"  etc.}
and not ip.src in { etc.}

1st line is optional, in case there might be a similar path in subdomains that need not be blocked.


Ok we tried that and it failed sadly, still learning this tool, thank you for the quick reply, can we also redirect all other traffic back to the home page in zero seconds? I know we can do a meta tag for this, but perhaps an outdated methodology?

Could you kindly provide an extra sample to learn from, one url and one path?

Then maybe a version with more than one URL and more then one IP.

Trying to learn the XYZ formatting…

Thanks again for your time on this.

Is the domain you’re creating the rule for :orange: proxied by Cloudflare? If it doesn’t have at least one A, AAAA, or CNAME record that is proxied, it won’t work, and no Redirect Rule will work either.

In case it is proxied, I’m curious as to what result you got.

As for redirecting, you can find recipes for redirecting with a dynamic Redirect Rule here:


Yes that is correct, we have that set that way.


Please see the screen shot, not even sure how to format the rule, once I know this, we should be ok, I hope. :wink:

Thanks again…

I’m sorry I wasn’t clear. The “then Block” part should not be part of the expression, it’s only a reference to what goes later in the user interface. Remove those 2 lines and the rule should work.


So all we need is this and all should be well? in {""} 
and http.request.uri.path in {"/mypath/"}
and not ip.src in {}

And if we need more than one domain and path? in {"" ""} 
and http.request.uri.path in {"/mypath1/" "/mypath2/" "/mypath3/"}
and not ip.src in {}

Super helpful, thank you kindly, digging didn’t provide too much help, your direction did. :heart_eyes:


Yes, and yes.
You’re welcome!