Cloudflare worker seems to be bypassing my Firewall rule?

I have set up a Cloudflare worker at which acts as a reverse proxy so I can serve my Ghost blog at, instead of

I have this working, and the site is accessible at

So as the next step, I wanted to use a Cloudflare Firewall rule to make access to impossible to anyone except me (to access the CMS) and Cloudflare workers.

As a first step I added a firewall blocking rule like this:

http.request.full_uri contains ""

So if I go to, it’s blocked! Great.

But if I go to, this is not blocked. I was expecting this to be blocked as well, and thought I’d have to add a rule like this to make it work with Cloudflare workers:

(http.request.full_uri contains "" and not ip.src in $cloudflare_list)

where cloudflare_list is a list of IPs that Cloudflare workers would use.

It sounds like the Cloudflare workers are bypassing the rule somehow? According to what I read on other discussion threads (sorry it’s not allowing me to link them) firewall rules are evaluated before a request hits the workers. So going by that, the site should be blocked.

Or have I misunderstood anything?

Thanks so much in advance for any help! :slight_smile:

This firewall rule is matching which is different from You could add "` to your firewall rule to block those requests as well.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.