Need WAF rule to skip captcha challenges for specific folder

I’m trying to migrate deprecated page rules to WAF rules. One of my page rules that I can’t seem to migrate is a Disable Security rule that I have on /.well-known/acme-challenge/* so that cPanel can autorenew SSL certificates without running into a captcha challenge.

Try this:

If you want it on all subdomains, remove the first match for the hostname.

1 Like

I was looking for “starts with” not “contains” but I see now that’s not an option anymore like it was under page rules.


Hmm good point. From a quick look it seems it is available if you create a manual expression (click “Edit expression”)
Which is odd because other rules have it in the UI.


for any hostname:

(starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))

or for a specific hostname:

( eq "" and starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))

I haven’t needed any WAF exceptions, so I can’t address that firsthand. The following post contains my Cloudflare options for the ACME challenge path. HTH/YMMV

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.