Need WAF rule to skip captcha challenges for specific folder

I’m trying to migrate deprecated page rules to WAF rules. One of my page rules that I can’t seem to migrate is a Disable Security rule that I have on /.well-known/acme-challenge/* so that cPanel can autorenew SSL certificates without running into a captcha challenge.

Try this:

If you want it on all subdomains, remove the first match for the hostname.

1 Like

I was looking for “starts with” not “contains” but I see now that’s not an option anymore like it was under page rules.

2 Likes

Hmm good point. From a quick look it seems it is available if you create a manual expression (click “Edit expression”)
Which is odd because other rules have it in the UI.

Try

for any hostname:

(starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))

or for a specific hostname:

(http.host eq "example.com" and starts_with(http.request.uri.path, "/.well-known/acme-challenge/"))
2 Likes

I haven’t needed any WAF exceptions, so I can’t address that firsthand. The following post contains my Cloudflare options for the ACME challenge path. HTH/YMMV

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.