Cloudflare Challenges help

What is the name of the domain?

nekonya.classydev.fr

What is the issue you’re encountering

I currently have added a custom WAF rule to add a Challenge on nekonya, but the issue is that the challenge spreads to the api and static image serving (/api and /images).

What steps have you taken to resolve the issue?

I did not resolve this issue, and that’s why I’m asking here for help.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

  1. Create a DNS entry (nekonya.yourdomain.com)
  2. Go to Security → WAF → Custom Rules
  3. Create a new rule:
  • Hostname equals nekonya.classydev.fr
  • URI Path does not start with /api
  • URI Path does not start with /images
  • Request Method equals GET
  • Action: Managed Challenge
  • Priority: First
  1. Go to nekonya.classydev.fr/api or /images and you’ll get a challenge, making the API unusable by anybody (and my status page).

I do not know anything i could do to fix this, i haven’t tried anything else than my current setup. Having the conditions “does not start with /api” and /images should do the job, but it does not.

Do you use “AND”, or “OR” between those?

Can you screenshot the rule, and/or post the content in the “Expression Preview”?

Ah yes, my fault, I forgot to share this.
I think the expression preview would be more useful for you:

(http.host eq "nekonya.classydev.fr" and not starts_with(http.request.uri.path, "/api/") and not starts_with(http.request.uri.path, "/static/") and http.request.method eq "GET")

They are all under AND.

(My phone added slashes at the end, there are no slashes at the end of /api and /static in my WAF rule.)

It seems to work as expected from my end, considering the expression?

  1. https://nekonya.classydev.fr/api/test
  2. https://nekonya.classydev.fr/api
  3. https://nekonya.classydev.fr/static/test
  4. https://nekonya.classydev.fr/static

None of those four are giving me any challenges.

But when trying URLs such as e.g.:

  1. https://nekonya.classydev.fr
  2. https://nekonya.classydev.fr/test

Those two are:

cloudflare_community_699827_challenge_on_subdomain_without_uri

cloudflare_community_699827_challenge_on_subdomain_with_uri_path_test

That said, - one thing I do notice:

Could the issue be that you’ve excluded “/static” (according to the expression), but been under the impression that you had also excluded “/images” (which you haven’t, according to the expression)?

/images” isn’t excluded according to the expression, and that’s consistent with what I see from my end.

Yep, seems to have been just a dumb issue of a slash at the end I must’ve added sometime, and the fact that I didn’t add /images in the list. Thanks for your time!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.