Firewall Rules question

Hello
I have rules as below. As I check it works, but in server logs I still have queries that have been bypassed. What’s the problem?

’ (http.request.uri.query contains “swp_debug”) or (http.request.uri.query contains “q=user”) or (http.request.uri.query contains “element_parents=account”) or (http.request.uri.query contains “ini_set”) or (http.request.uri.query contains “base64_decode”) or (http.request.uri.query contains “file_put_contents”) or (http.user_agent contains “www.google.com.hk”)’

Server log:

For starters, the Google check should not target http.user_agent but http.referer instead.

Then, your http.request.uri.query rules should probably catch three requests you posted as an example, however depending on your setup http.request.uri.query contains "php" might be even easier. Again, depending on your setup.

Third, are you absolutely sure you can rule whoever sends these requests does not bypass Cloudflare and connects directly to your server?

Currently, I have a rule in htaccess

RewriteCond% {HTTP: CF-RAY} ^ $
RewriteRule ^ - [F, L]

As I check the website directly via ip I do not have access.
I do not know if this is enough to protect against direct access to the site.

This topic was automatically closed after 30 days. New replies are no longer allowed.