I use Cloudflare PRO subscription. I have most countries outside of the US blocked with a captcha challenge however there is an image directory that I would like to make available from any country even if the country is blocked.
If Russia traffic is challenged using the IP Firewall for all other content I would still like them to have access to images (we link to these images from 3rd party websites).
I’ve added both a firewall rule (URI Full > contains > https://www.mydomain.com/images > allow) and page rule (www.mydomain.com/images/* > disable security & disable WAF) but neither seem to override the captcha on the IP firewall
Is this not possible or am I doing something wrong?
AFAIK firewall rules are evaluated after IP rules, so it would probably never trigger. However I would have assume the page rule to disable security in this case.
If it does not you could always try to replace all three rules with the following firewall rule and set “Captcha” as action for it
(ip.geoip.country ne "US" and not http.request.full_uri contains "https://www.mydomain.com/images")
That should send every request to a captcha that does not originate from the US or does not contain the URL in question.
Unfortunately you can only use “does not contain” and not “starts with”, hence there is the slight chance that someone outside the US might be able to circumvent the captcha by appending a query string with that URL. In order to avoid that you could add some additional server-side check.
I removed the country block for Australia
Added the rule as outlined above (tried both Block and Captcha as the action)
Connected to Nord VPN > Australia server
Verified server is showing up as Australia
Attempt to open https://www.mydomain.com/images/200/1.jpg
Image opens
The problem is that I can navigate to any other URL on that domain without being blocked or captcha challenge
Considering that both expressions should evaluate to true in that case (country ne “AU” and full_uri does not contain the image path) I’d expect the full expression to pass and hence execute the action, which should show a captcha.
