Captcha check after disabling security for direct url

Website, Application, Performance Security
1

What is the name of the domain?

domain.com

What is the error number?

N/A

What is the error message?

N/A

What is the issue you’re encountering

Getting a captcha check for website address “https://domain/known/apple-app-site-association” even though we have defined a WAF rule to skip and a general rule to “secutiy essentially turned off”. We do Geo block, my understanding is those two rules should negate this.

What steps have you taken to resolve the issue?

Generated a WAF rule and placed as first to skip request to full url
Generated a general rule to disable security, cloudflare 3rd party tools and other items to full URL

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Attempting to access direct path from blocked Geo locations causes a captcha.

2

Could you share a screenshot of the list of your WAF rules and each of them? :thinking:

Furthermore, what’s your default Security Level set to under the Security → Settings tab of Cloudflare dashboard for your zone?

I’d suggest you to double-check the Security → Events at Cloudflare dashboard under your Cloudflare account for your zone, or via direct link https://dash.cloudflare.com/?to=/:account/:zone/security/events.

You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered.

Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?

3

I looked through the security events and it is saying that the test are being blocked by the custom GEO Location rule even though it is last on the list and exclusions provided for URL Full.

image
image969×219 8.3 KB

5

Screenshot 2025-01-13 120327
Screenshot 2025-01-13 1203271048×916 29.8 KB

6

Screenshot 2025-01-13 120051
Screenshot 2025-01-13 1200511080×557 18.3 KB

Sorry for the multiple replies, apparently I am too new to post more than one image at a time.

7

At first sight, in your rule from the bove screenshot you use contains while using a wildcard (apex) * star symbol. Change it to wildcard instead of contains if you plan to continue with * symbol in the input field.

In your 2nd rule, change URI Full to URI Path and make sure it’s apple-app-site-association in the input field, so it’ll match both HTTP and HTTPS and www and non-www and at the end someone could add ending slash / like apple-app-site-association/ and not being blocked. Some browsers add the ending slash /, in others you don’t see it. Wonder how it’s handled on the origin web host :thinking:

9

I have made those changes and am working on testing. Would it be better to add the path for the second firewall rule instead of “apple-app-site-association”?

and just wildcard the directory?

For example

domain.com/directory/apple-app-site-association

would be

URI PATH does not equal /directory/*

10

I tried creating a worker and that also failed.
Created worker to destination and then created a route to the worker.

11

Should use Wildcard if you’re using apex * symbol then.

Are you expecting more things under /directory/ or it’s just a single one?

12

It is a single item in this directory we want to skip the WAF rule. I have been watching and the Custom Skip rule is working but it still goes to Custom Rule 2 which is the GEO block even though we have “Skip all custom rules” checked.

13

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.