Does Cloudflare Access bypass WAF?

I have some WAF rules that are set up to Allow access from certain home office IP addresses to the admin section of a website. Unfortunately those home IP addresses keep changing. I started looking at Cloudflare Access as a potential solution as setting up a VPN seems much harder. Is my assumption correct that if I put the web admin behind Cloudflare Access and have people authenticate it will also bypass the WAF rules? Or do I have to set up an additional WAF rule that excludes anyone coming in through Cloudflare Access?

No. WAF comes before Access.

You shouldn’t need another rule. Instead of allowing IPs to your admin section, which in essence is what Access does, you can edit or remove rules set explicitly to protect the backend. Once it’s protected by Access, they are no longer needed.

For instance, in a WordPress website, I have a rule that blocks any request to a PHP file, with a few exceptions:

URI Path contains ".php"
URI Path does not equal "/wp-login.php"
URI Path does not start with "/wp-admin"

This not only makes it unnecessary for me to maintain a Skip rule with my IP address, but also reduces clutter in the Security Events log, as requests blocked by Access are not logged there.

Thanks @cbrandt
Ok so following down that path - assuming that Access is protecting the admin section I’ve set up a WAF custom rule that skips WAF for

URI contains /admin
URI contains /security

I’ve turned on logging and am still getting hits but those are mostly because people are trying to access /administrator/index.php which is matched by the URI but doesn’t go anywhere.
So far so good - thanks for the clarification.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.