May I ask if you could share a screenshot of the WAF Custom Rule which you’ve created and tried with?
Example to block by some terms being used in the URI path:
(http.request.uri.path contains "tmp") or (http.request.uri.path contains "config") or (http.request.uri.path contains "echo") or (http.request.uri.path contains "md5") or (http.request.uri.path contains "pearcmd")
Make sure to setup WAF rules and that your DNS records for your domain are proxied so the WAF rule would apply and work as expected.
You can combine even with adding ?%00 or eval or %3Cscript or (0x or shell or DROP, even block HTTP 1/0 requests, user-agents such as python etc.
Combine for URI Path where contains, between use OR for operator to catch them and do not forget to select action “block” at the end, save and make sure it’s active and enabled rule.
These are the rules I have configured, but it stills appears those messages in my nginx log:
(http.request.uri.path contains “…/”) or (http.request.uri.path contains “/etc/”) or (http.request.uri.path contains “/usr/”) or (http.request.uri.path contains “/tmp/”)
Yes, I have tested, and it works for me. For example, if I write www.example.com/md5/, it appears a cloudflare advice that I have been blocked. But then, every day, I see those messages in the nginx log that seems that someone is bypassing the rule.