Hello,
I’m trying to :
i) challenge ALL countries except UK & Germany.
ii) only two URL involves “domain.com” and “domain.com/subfolder”
Did this configuration correct? Appreciate if anyone could help. Many thanks.
You will need to configure this manually, as the UI does not allow to configure the correct expression or you simply use this expression
(not ip.geoip.country in {"GB" "DE"} and http.request.uri.path in {"/" "/subfolder/"})
Though, this will only challenge requests to these particular URLs. Requests to /image.jpg and /subfolder/image.jpg will still pass unchallenged.
2 Likes
As @sandro stated, it would not prevent access to resources within paths. For that, use a URI Full contains rule that includes the paths you want, e.g. URI Full contains /img/image to protect all images, or use /css/example.min.css to protect a specific css resource.
1 Like
@sandro thanks a lot. Your code given was exactly what i wanted. 
@intr0 Thanks as well. I would need this too when the time is necessary.
1 Like
Sorry i have another question.
If i add these URLs into Rate Limit rule, then Firewall Rules above won’t take effect since Rate Limit policy has taking over the priority.
Am i correct?
You know, that’s a good question. I know, e.g. Zone Lockdown takes precedence, but as for Rate Limiting, I’m unsure. TBH, from personal experience, CloudFlare seems to be fairly intuitive regarding all Firewall rules - basic Manual Rules (which, AFIK, take precedence over everything else); WAF (which is a wonderful “last line of defense” within your defense in depth setup; IP/ASN restrictions; and UA restrictions. Your best bet, without a more knowledgeable CloudFlare user stating for sure that Rate Limiting takes precedence over manual FireWall rules, is to initially use Simulate rules and then evaluate your FireWall logs in the Dash.
Hi @Dainiel,
If you look at this diagram:
Order and priority · Cloudflare Firewall Rules (deprecated) docs
It shows how the different stages of the firewall fit together in order. You can see that firewall rules come before rate limiting.
1 Like
@intr0 thanks again for the advise. It was really nice information.
Hello @domjh thanks for the diagram info. I am now wondering why it does not accurately working on my setup. What i am experiencing previously (several times happened this week during attack, including today). The Rate Limit took over the requests while the Firewall Rule is relax - no requests at all. Now after new configuration above in place, i turned off Rate Limit and waiting for the next attack session.
Anyway, i need another help. I just subscribed into monitoring service and i need to allow them bypassing the current Challenge on the other rule. It seems there are plenty of IP, could be more than 100 :
-
I need to do quick, just putting about 5 most important IPs. I tried these both rules but it seems not working.
-
Later i will need to insert all the IPs via Cloudflare API Cloudflare API v4 Documentation . Unfortunately i do not have any programming skill. Any guidance to do that?
Are you saying a request coming from an address which should get blocked by the firewall rule does not, but then hits the rate limit? That would suggest the firewall rule is not properly configured.
Can you post the list of addresses? Your first firewall rule looks okay. Make sure it comes first in your firewall rule list.
OMG 
i didn’t know the drag function on the left is part of the function. Now the service working after putting it on top of all rules. Thanks so much for such valuable info.
Yea you are definitely right. I guess it’s not working earlier due to priority misconfigured that i didn’t notice such above.
Anyway the Firewall Rules looks good now. An attack came in and just ended, bigger several hours before. Firewall Rules took the bots first before Rate Limit. The process flow does exactly as @domjh diagram. But now i realized few things :-
- Botnets nowadays can bypass CF Challenge set on Firewall Rule. Eventually Rate Limit took down the bot.
As you can see, both FR and RL has the same path rule. Please note all botnets that already bypass the FR is not from UK & Germany.
- How many number of requests fills in the RL is useless since my Business Plan has privilege as lowest as 10 sec. While the attack get through in our nginx more than 100 request between 10 sec. Cloudflare RL take action only on the every 10th seconds, instead of triggering first on how many requests in configuration. Our nginx has already crippled if 30 IPs sent 100 error response code each in a second. What do you think? Do i need Enterprise plan or was there any work around?
Blocking ASN would be hard whenever bots coming large from everywhere as the attackers could simple change it every attack session. I had put several User Agent rule but it seems he never use it again after getting blocked once. My further step is trying to block ASN coming from cloud service but i don’t have any data about it.
Just an update:
I would like to correct my first assumption about this. As i noticed on the summary stats, it’s showing that the request showing here is lower than the total requests of particular attack event. It seems actually only about 25% requests Challenged by FR, while 75% went straight to RL.
Obviously i did not sure whether i have still misconfigured or this is how Cloudflare works.
Anyone please? I really need clarification.
RL? Are you saying you actually had 170k requests?
I mean all 170k requests are bots. Which about 30% of it went to FR and got challenged , while 70% went straight to RL got blocked. You can take a look again on the attachment previously.
What do you think? I am wondering why 70% went straight to RL? Or possibly out there someone has released something that could bypass the Challenge page on FR as legitimate user (therefore no record on CloudFlare FR statistic)?
Oh you mean Firewall Rule and Rate Limiting.
If they skipped the firewall rule, they either did not match its configuration or had passed the challenge before and now only run into rate limiting. I’d try to verify the first point and check if they actually matched the firewal rule configuration.
As provided information above, the configuration of URL path is exactly same between Firewall Rules (FR) and Rate Limit (RL). Only different are additional information on RL such response code, Method and few others.
Firewall Rules set - Same path, Challenge
Rate Limit set - Same Path, Block
Again as i’m curious, why only 30% from 170k bots goes to FR? Diagram above shown FR filter first before RL.
If there is nothing else that would whitelist them, it would suggest they send the request with a cookie which already passed the challenge and hence doesnt run into the firewall rule any longer.
Oh really that could be possible? I 've been thinking of this possibility but i didn’t know this method has already been programmed by someone. If you could convince me again that is actually part of nowadays attack then i do understand why some filtering still needed “BLOCK” in place.
Of course it is a possibility, if it actually applies to this case is a different story.
I am curious how it could be possible.I thought every successful Captcha session passes its own cookie hash. How can the bots use the same cookie on each request?