Risk of bypassing WAF/Caching for admin pages

Hi all,

We are looking to bypass WAF & caching for an admin page (domain.com/admin) on a CloudFlare protected website, by way of Page Rule. Before we proceed with this, I wanted to ask - by removing WAF & caching, does that in effect also disable DDoS protection? I would assume every hit on domain.com/admin would be allowed (due to WAF being disabled) and every request would initiate a pull request from the Origin (due to it not being cached). Therefore does that mean the Origin is at risk of being DDoS’d and going down? Or are there other levels of protection still afforded even when these two features are bypassed for a particular page?

We are also looking into restricting access to the page via IP address, but this may not be ready by the time we need to configure the bypass so I am keen to understand what other protections we may have in the meantime.

More context: The website has a Silverstripe CMS backend / PHP, CloudFlare is licensed with Business and WAF is configured with most of the default rule sets. All working well on the publically accessible pages but when we perform certain functions in the admin panel (such as updating page content) the WAF triggers due to XSS & SQL injection errors. We have asked the website developers to investigate but they cannot pinpoint what is causing these errors. They have tried removing different kinds of content (such as metadata tags) from the requests being made but it hasn’t helped.

Could you use firewall rules to Bypass when on these path and perhaps use Zone Lockdown to limit access to specific IP addresses? This would do what you want.

The underlying problem is that this would open up this admin page to a “what if your computer is actually compromised at some point and starts injecting SQLi into requests without you knowing?” scenario too… (I am not saying it is now but opening up the defenses might let in more than you know at some point).

If the WAF is complaining about SQLi then perhaps the CMS is doing things in a way that would be better done differently. You will have to look at the blocked requests to see which rules were triggered and work from there.

Thanks for your reply - yes Zone Lockdown is in planning but right now due to some configuration in place (proxy) we dont have readily available static IP’s, but this will be possible soon.

I am still working with the developer to fix the root issue with the CMS, but in the meantime the customer cant update any of their web pages with Cloudflare in place. So I am looking to temporarily bypass WAF just for that particular admin page. But, as the customers primary concern is DDoS this leads back to my original question - do they still have any protection in that space if we are bypassing WAF/caching?

No. DDoS Protection is always-on.

It could be possible that your website is suddenly receiving a high volume of traffic (but legitimate, not DDoS) and your server can’t process it.

Try to only bypass the WAF for only specific URLs that are affected?

I would also recommend to use Cloudflare Access to totally lock down the admin page, so that only authenticated users can access it.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.