Hello everyone. I have a domain purchased from godaddy, and I am currently using xampp on a windows computer with port forwarding. I have configured xampp correctly, and I have managed to make it so that when i visit my domain, it shows the website which is located on my computer. I have also managed to set a setting in the firewall so that it blocks hostname, and at the bottom there is a whitelist for whitelisted ip addresses which can visit my website without access denied, and it has worked. However, what I am trying to do now is leave the whitelist on the hostname how it is, but allow access to all people for files in a specific subfolder, e.g example.com/subfolder/file.html. The issue I am running into is that when I create a “url full” firewall rule, on top of the other rule, it shows access denied, and I don’t know how to exactly configure this. Any help would be appreciated, thanks for your time.
Can you post the expressions? Redact the IPs and urls.
Hello. I apologize for the late reply. The rules are in this order and are the following:
Firewall Rule 1:
[Action: Allow] [Type: Url Full] [Condition: Equals] [Value: http://example.com/file/]
(http.request.full_uri eq "http://example.com/file/")
Firewall Rule 2:
[Action: Block] [Type: Hostname] [Condition: Equals] [Value: example.com]
(http.host eq “example.com”)
Hello sandro. When I have set the settings like yours, http://example.com is blocked, and http://example.com/file/ is allowed, however, if I try and visit a file from inside of that folder, such as http://example.com/file/test.html, it blocks. I tried setting the rule to be equal to (http.request.uri.path ne “/file/*”), since an asterisk is suppose to mean ANY file inside of that directory, but it didn’t work and instead only allowed access to http://example.com/file/ with an asterisk at the end of the domain. Is there a way in the firewall rules that I can specify all files inside of that folder? Thanks ^^
That is true for page rules not the firewall.
With a business account and regular expressions you could do this. If you are on a lower plan you can only somewhat achieve this with a “contains” workaround
(http.request.full_uri contains "http://example.com/file")
However keep in mind, someone could circumvent that check with a request to http://example.com/no-file?dummyquerystring=http://example.com/file. Unless you are on a business plan I’d probably rather opt for a server-side implementation in this case.
I have used a “does not contain” and it works just like I need it to. I am marking your post as “solved” and I am going to like it. Thank you for your time and explanation, sandro!
Sorry, “does not contain” of course. Got it the wrong way round 
Still keep in mind, as mentioned before this can be circumvented by appending a random query string with the path in question (I just tested it quickly and that approach worked). So I’d still add a proper check on the server-side too.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.