I have set up a Cloudflare worker at blog.domain.com which acts as a reverse proxy so I can serve my Ghost blog at domain.com/blog, instead of blog.domain.com.
I have this working, and the site is accessible at domain.com/blog.
So as the next step, I wanted to use a Cloudflare Firewall rule to make access to blog.domain.com impossible to anyone except me (to access the CMS) and Cloudflare workers.
As a first step I added a firewall blocking rule like this:
http.request.full_uri contains "blog.domain.com"
So if I go to blog.domain.com, it’s blocked! Great.
But if I go to domain.com/blog, this is not blocked. I was expecting this to be blocked as well, and thought I’d have to add a rule like this to make it work with Cloudflare workers:
(http.request.full_uri contains "blog.domain.com" and not ip.src in $cloudflare_list)
where cloudflare_list is a list of IPs that Cloudflare workers would use.
It sounds like the Cloudflare workers are bypassing the rule somehow? According to what I read on other discussion threads (sorry it’s not allowing me to link them) firewall rules are evaluated before a request hits the workers. So going by that, the site should be blocked.
Or have I misunderstood anything?
Thanks so much in advance for any help! 