[Firewall] Whitelist access to main domain but allow access to everyone in subfolder files

Hello everyone. I have a domain purchased from godaddy, and I am currently using xampp on a windows computer with port forwarding. I have configured xampp correctly, and I have managed to make it so that when i visit my domain, it shows the website which is located on my computer. I have also managed to set a setting in the firewall so that it blocks hostname, and at the bottom there is a whitelist for whitelisted ip addresses which can visit my website without access denied, and it has worked. However, what I am trying to do now is leave the whitelist on the hostname how it is, but allow access to all people for files in a specific subfolder, e.g example.com/subfolder/file.html. The issue I am running into is that when I create a “url full” firewall rule, on top of the other rule, it shows access denied, and I don’t know how to exactly configure this. Any help would be appreciated, thanks for your time.

Can you post the expressions? Redact the IPs and urls.

Hello. I apologize for the late reply. The rules are in this order and are the following:

Firewall Rule 1:
[Action: Allow] [Type: Url Full] [Condition: Equals] [Value: http://example.com/file/]
(http.request.full_uri eq "http://example.com/file/

Firewall Rule 2:
[Action: Block] [Type: Hostname] [Condition: Equals] [Value: example.com]
(http.host eq “example.com”)

From what I understand one single rule should suffice in your case

Hello sandro. When I have set the settings like yours, http://example.com is blocked, and http://example.com/file/ is allowed, however, if I try and visit a file from inside of that folder, such as http://example.com/file/test.html, it blocks. I tried setting the rule to be equal to (http.request.uri.path ne “/file/*”), since an asterisk is suppose to mean ANY file inside of that directory, but it didn’t work and instead only allowed access to http://example.com/file/ with an asterisk at the end of the domain. Is there a way in the firewall rules that I can specify all files inside of that folder? Thanks ^^

That is true for page rules not the firewall.

With a business account and regular expressions you could do this. If you are on a lower plan you can only somewhat achieve this with a “contains” workaround

(http.request.full_uri contains "http://example.com/file")

However keep in mind, someone could circumvent that check with a request to http://example.com/no-file?dummyquerystring=http://example.com/file. Unless you are on a business plan I’d probably rather opt for a server-side implementation in this case.


I have used a “does not contain” and it works just like I need it to. I am marking your post as “solved” and I am going to like it. Thank you for your time and explanation, sandro!

Sorry, “does not contain” of course. Got it the wrong way round :blush:

Still keep in mind, as mentioned before this can be circumvented by appending a random query string with the path in question (I just tested it quickly and that approach worked). So I’d still add a proper check on the server-side too.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.