How to white-list certain URLs?

When I enable Firewall --> Cloudflare Managed Rules, then parts of my application break, because sometimes my clients send requests using the browser’s fetch API to an endpoint /s3direct/ in order to receive a signed request to then upload an image directly into an S3 bucket.

I have tried to add a Firewall Rule that always allows requests to that endpoint. The expression looks like this:

(http.request.uri.path contains "/s3direct/")

However, this does not seem to help. I assume that the managed rules take precedence over the self-made rules.

Is there any way to solve this?

You need to use Bypass instead of Allow as the action.

Bypass - WAF Managed Rules.

Hmm… I tried that, but it still does not work.

My requests get blocked with this Rule name: 949110: Inbound Anomaly Score Exceeded.

I have changed my custom rule to Bypass and selected everything except User Agent Block, Hotlink Protection and Zone Lockdown.

How many firewall rules do you have?

Mind to provide a screenshot of that?

Just one to whitelist a few URLs that contain certain paths.

Expression looks like this:

(http.request.uri.path contains "/s3direct/") or (http.request.uri.path contains "/api/"))

Some googling revealed that 949110: Inbound Anomaly Score Exceeded means that too many of the OWASP rules triggered.

So does that mean that OWASP rules cannot be bypassed?

Is your WAF UI looks like this?

Or this:

It looks like the first screenshot. When I disable OWASP, things seem to work, but I guess having OWASP would be better, so I wonder if it is simply not possible to bypass those?

The first screenshot is representing the new WAF engine released by Cloudflare recently (less than 2 weeks ago).

But I heard that they might have issues in bypassing the new WAF when the user specifies it in the firewall rules.

Oh wow, good to know. So this could be a bug in Cloudflare? Would it make sense for me to send an email to their team or are they monitoring this board?

1 Like

Yup, but they are working it.

You may send them an email so they are more aware of this issue :laughing:

Cool. Thanks again for your help!

EDIT 2021-04-15: I have message Cloudflare support and they confirmed that this is a known bug:

This is what they replied to my support request:

We had to reach product specialist internally for guidance on this matter. Please be advised that the new WAF (Managed Rules) doesn’t work with the Bypass action in Firewall Rules. The Engineering Team is aware of this. Actually, this is being looked at as we speak and it should be addressed shortly.

Unfortunately, I am not in a position to share further details or ETA at this time.
Please monitor our usual communication channels for updates on this matter.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.