Hi,
I’m using a development website where I want all security and firewall turned off.
Page rule: https://dev.mydomain.com/ * Disabled Security, Web Application Firewall OFF, Cache-level Bypass
Configuration rule: if hostname contains dev.mydomain.com Security Level: Essentially Off.
But I’m still blocked for example when I try to upload a file:
Adobe ColdFusion - Dangerous File Upload - CVE:CVE-2019-7816
Why is that? How can I make it so that WAF is completely turned off for the dev site? It’s password protected anyway.
Thanks
Chaika
March 2, 2023, 1:49am
2
Weird that the page rule wouldn’t do it, but you can add an exception in the WAF itself as well.https://dash.cloudflare.com/?to=/:account/:zone/security/waf/managed-rules )
Once you create it, make sure to drag it above the other rulesets.
You can also just bypass that single Rule:
Though you cannot bypass the whole new WAF, you can create an exception.
[image]
You can combine your IP(s) with the relevant path for plugin update:
[image]
You then select Skip specific rules from a Managed Ruleset, and pick Cloudflare Managed Ruleset. Last, you search for the rule titled “Adobe Coldfusion Dangerous File Upload…”
[image]
EDIT: After you save your WAF Exception, you need to move it up so that it triggers before the Managed Rulesets.
[image]
It worked for me, I hope…
1 Like
