I’m trying to exclude specific URL from WAF. For the moment without success.
In Page Rules I have this:
*domain.com/output/*
Disable Security, Browser Integrity Check: Off, Web Application Firewall: Off, Security Level: Essentially Off
In WAF rules this:
(http.request.full_uri contains "*domain.com/output/ext/stores?api_token=*" and http.request.full_uri contains "*domain.com/stores_xml*" and http.request.uri.path contains "/output/*" and http.request.uri.query contains "stores_xml?api_token=" and http.request.uri.query contains "api_token=*" and http.request.uri contains "/stores_xml?api_token=*" and http.request.uri contains "/output/ext/stores?api_token=*")
The URL’s I want to exclude are (xxxxx is different for every customer):
*domain.com/output/ext/stores?api_token=xxxxxx*
*domain.com/stores_xml?api_token=xxxxx*
I have to mention that I have a rule which allows only some countries, for others Managed challenge is selected.
The idea in general is bypass Cloudflare for such url’s