Hello Cloudflare Community!,
I’m blocking the .htaccess file from my main site using the WAF rules, however, this is not being applied to the subdomains of my site, even though the rule is a simple ‘if the url contains .htaccess, block it’.
How should I approach this?
May I ask you to post a screenshot or the expression of your Firewall Rule?
Below should work with the action “block” as you want it (from my understanding you want to block access to sub.yourdomain.com/.htaccess for example?):
(http.request.uri contains "htaccess")(http.request.uri.path contains "htaccess")Furthermore, your sub-domain(s) A record (or a CNAME) should also be proxied 
cloud to make it work and Firewall Rules to apply.
Due to Firewall Rule changes, please wait for a minute or two to apply the new modifications.
Yes @fritex, at first my rule was only the first one, yet I added algo the ‘uri.path’ as an ‘and’ and waited 5 minutes… This didn’t worked, also my A record is correctly proxied.
I still have access to my subdomain.mydomain.com/.htaccess though, only mydomain.com/.htaccess is correctly blocked.
Please note that the example from @fritex did not include the leading dot.
I had problems trying to block requests to .env because of the leading dot. I had a ticket open at one point, but have not followed up. It’s probably been a year.
Yes, thank you for the note, though I tried it and, same issue, my A record has the correct proxy and, I’m going with the two above rules shown but with the dot. No luck though @sdayman…
If I may just add a note, I have checked and I am using the “dot” version:
(http.request.uri.path contains ".htaccess")I confirm the “dot” works fine for my 50+ domains (even on sub-domain).
Even in a Firewall Rule where I have some kind of a combination like (including .env), the part of it contains:
or (http.request.uri.path contains ".conf") or (http.request.uri.path contains ".sql") or (http.request.uri.path contains ".bak") or (http.request.uri.path contains ".rar") or (http.request.uri.path contains ".zip") or (http.request.uri.path contains ".dll") or (http.request.uri.path contains ".cgi") or (http.request.uri.path contains ".py") or (http.request.uri.path contains ".exe") or (http.request.uri.path contains ".gz") or (http.request.uri.path contains ".tar") or (http.request.uri.path contains ".tgz") or (http.request.uri.path contains ".htaccess") or (http.request.uri.path contains ".htpasswd") or (http.request.uri.path contains ".pl") or (http.request.uri.path contains ".sh") or (http.request.uri.path contains ".lua") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".svn") or (http.request.uri.path contains ".log") or (http.request.uri.path contains "readme.html") or (http.request.uri.path contains ".install") or (http.request.uri.path contains ".rb") or (http.request.uri.path contains "readme.txt") or (http.request.uri.path contains ".asp") or (http.request.uri.path contains ".jps") or (http.request.uri.path contains ".ini") or (http.request.uri.path contains ".env")While, I got normally 404 not found from the origin host / server if I remove the dot and leave only “htaccess”.
@fritex @sdayman That’s strange, I have my subdomain A record with the proxy activated, pointing to the same IP of the normal domain… And I’m using the two uri.path and uri with contains, so each ‘htaccess’ and ‘.htaccess’ should be enough.
This does not work though and, I’m not sure how should I debug this.
I am sorry to hear this.
True, strange a bit.
Hm, could you share a sample of the URL, even a screenshot of your Firewall Rule with us?
May I ask have you tried modifying your Firewall Rule to block something else. For example, like if your URL contains “abcdef” part, and testing it by visiting the sub.domain.com/abcdef if it’s blocked or not?
Sure @fritex, sorry for the late response:
Is the firewall rule, and as you can see in the following image, the A record for that subdomain is being correctly proxied:
The both proxied A records.
The rule works on the domain, but not in their subdomains. So example.com/.htaccess is blocked, but sub.example.com/.htaccess won’t for some reason, even though they are in the same server.
The subdomain serves a different page than the original domain but, This shouldn’t matter. How should I debug this?
Hm, first thing I would change and to or. Next, I would either remove the first part or a second part (duplicated including the “and” operator between them).
May I ask have you tried rewriting your Firewall Rule to only have the same as @sdayman has got on a screenshot, using only (http.request.full_uri contains ".htaccess") in his Firewall Rule.
Like a redirect to another domain, or rather serving content from another domain (CNAME - I do not see CNAME; rather A type from above screenshot), or it’s actually as it needs to be setup to load different content from the sub-domain? (You mean different content - as it should be.)
Thanks a lot for your help in this matter @fritex…
I tried all you said but the DNS thing since, I don’t thing I have the ‘power’ in my company to just change an A record to a Cname, so that needs to be static.
Right now I have only the http.request.full_uri contains "htaccess but, no luck, same behavior where my domain .htaccess is blocked but, the subdomains don’t… The subdomains have a different folder but, they are even on the same Server and IP so, A record point to the same domain
Just to make sure, from your screenshot the two A records with are set to 
(DNS-only) are not these sub-domains for which you want this Firewall Rule to work?
No, the two A records that are set to the orange cloud (Proxied) are the ones that I want this Firewall Rule to work
It works!, but from other devices for some reason…
The why I was telling that it didn’t worked it was because, for some reason in my pc (that I’m checking) I didn’t get blocked, cache perhaps.
Thank you guys a lot for your help on this matter.
You can Try this, This rule will block access to .htaccess files on the main domain
(http.request.uri contains ".htaccess") and not (http.host contains "subdomain.")
Exclude any subdomains.
(http.request.uri contains ".htaccess") and (http.host contains "subdomain.")
This rule will specifically block access to .htaccess files on subdomains.