How to block .htaccess in subdomains?

Hello Cloudflare Community!,

I’m blocking the .htaccess file from my main site using the WAF rules, however, this is not being applied to the subdomains of my site, even though the rule is a simple ‘if the url contains .htaccess, block it’.

How should I approach this?

May I ask you to post a screenshot or the expression of your Firewall Rule?

Below should work with the action “block” as you want it (from my understanding you want to block access to for example?):

  1. (http.request.uri contains "htaccess")
  2. (http.request.uri.path contains "htaccess")

Furthermore, your sub-domain(s) A record (or a CNAME) should also be proxied :orange: cloud to make it work and Firewall Rules to apply.
Due to Firewall Rule changes, please wait for a minute or two to apply the new modifications.

1 Like

Yes @fritex, at first my rule was only the first one, yet I added algo the ‘uri.path’ as an ‘and’ and waited 5 minutes… This didn’t worked, also my A record is correctly proxied.

I still have access to my though, only is correctly blocked.

Please note that the example from @fritex did not include the leading dot.

I had problems trying to block requests to .env because of the leading dot. I had a ticket open at one point, but have not followed up. It’s probably been a year.

1 Like

Yes, thank you for the note, though I tried it and, same issue, my A record has the correct proxy and, I’m going with the two above rules shown but with the dot. No luck though @sdayman

1 Like

This worked for me. I literally created a DNS entry for to test:

1 Like


If I may just add a note, I have checked and I am using the “dot” version:

  • (http.request.uri.path contains ".htaccess")

I confirm the “dot” works fine for my 50+ domains (even on sub-domain).

Even in a Firewall Rule where I have some kind of a combination like (including .env), the part of it contains:

  • or (http.request.uri.path contains ".conf") or (http.request.uri.path contains ".sql") or (http.request.uri.path contains ".bak") or (http.request.uri.path contains ".rar") or (http.request.uri.path contains ".zip") or (http.request.uri.path contains ".dll") or (http.request.uri.path contains ".cgi") or (http.request.uri.path contains ".py") or (http.request.uri.path contains ".exe") or (http.request.uri.path contains ".gz") or (http.request.uri.path contains ".tar") or (http.request.uri.path contains ".tgz") or (http.request.uri.path contains ".htaccess") or (http.request.uri.path contains ".htpasswd") or (http.request.uri.path contains ".pl") or (http.request.uri.path contains ".sh") or (http.request.uri.path contains ".lua") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".svn") or (http.request.uri.path contains ".log") or (http.request.uri.path contains "readme.html") or (http.request.uri.path contains ".install") or (http.request.uri.path contains ".rb") or (http.request.uri.path contains "readme.txt") or (http.request.uri.path contains ".asp") or (http.request.uri.path contains ".jps") or (http.request.uri.path contains ".ini") or (http.request.uri.path contains ".env")

While, I got normally 404 not found from the origin host / server if I remove the dot and leave only “htaccess”.

1 Like

@fritex @sdayman That’s strange, I have my subdomain A record with the proxy activated, pointing to the same IP of the normal domain… And I’m using the two uri.path and uri with contains, so each ‘htaccess’ and ‘.htaccess’ should be enough.

This does not work though and, I’m not sure how should I debug this.

I am sorry to hear this.

True, strange a bit.

Hm, could you share a sample of the URL, even a screenshot of your Firewall Rule with us?

May I ask have you tried modifying your Firewall Rule to block something else. For example, like if your URL contains “abcdef” part, and testing it by visiting the if it’s blocked or not?

Sure @fritex, sorry for the late response:

Is the firewall rule, and as you can see in the following image, the A record for that subdomain is being correctly proxied:

The both proxied A records.

The rule works on the domain, but not in their subdomains. So is blocked, but won’t for some reason, even though they are in the same server.

The subdomain serves a different page than the original domain but, This shouldn’t matter. How should I debug this?

Hm, first thing I would change and to or. Next, I would either remove the first part or a second part (duplicated including the “and” operator between them).

May I ask have you tried rewriting your Firewall Rule to only have the same as @sdayman has got on a screenshot, using only (http.request.full_uri contains ".htaccess") in his Firewall Rule.

Like a redirect to another domain, or rather serving content from another domain (CNAME - I do not see CNAME; rather A type from above screenshot), or it’s actually as it needs to be setup to load different content from the sub-domain? (You mean different content - as it should be.)

1 Like

Thanks a lot for your help in this matter @fritex
I tried all you said but the DNS thing since, I don’t thing I have the ‘power’ in my company to just change an A record to a Cname, so that needs to be static.

Right now I have only the http.request.full_uri contains "htaccess but, no luck, same behavior where my domain .htaccess is blocked but, the subdomains don’t… The subdomains have a different folder but, they are even on the same Server and IP so, A record point to the same domain

Just to make sure, from your screenshot the two A records with are set to :grey: (DNS-only) are not these sub-domains for which you want this Firewall Rule to work?

No, the two A records that are set to the orange cloud (Proxied) are the ones that I want this Firewall Rule to work

1 Like

It works!, but from other devices for some reason…

The why I was telling that it didn’t worked it was because, for some reason in my pc (that I’m checking) I didn’t get blocked, cache perhaps.

Thank you guys a lot for your help on this matter.