I have setup client certificate and mTLS WAF rules on my domain months ago and it is working well. However when I try to access mTLS protected website today without client certificate, the blocking did not occur and I can access the website freely.
For desktop browser that have not access the mTLS protected website before, it did not trigger the certificate selection dialog.
For Android mobile browser such as Edge & Samsung browser that access the website before, I can still see the certificate selection dialog, but I can still access the website when I clicked “deny” which should be blocked by the WAF rule and show me a Cloudflare error page.
FYI, my WAF rule:
(http.host in {"MY_DOMAIN_1", "MY_DOMAIN_2"} and not cf.tls_client_auth.cert_verified)
I’ve also checked those domains is enabled in Client Certificates under “SSL/TLS” tab
I did not change WAF rules and I’ve also tried applying the Cloudflare suggested template mTLS rule, but still no blocking occured.
Is mTLS WAF rule not being enforced? or there is misconfiguration on my rule?