We’re new to Cloudflare and are using Page Rules to wildcard redirect one domain to another. Our question is does the incoming traffic go through the WAF before the Page Rules redirect, or is all incoming traffic redirected to the new domain by the Page Rule first and thus bypass the WAF?
I am also curious as to which comes first.
My guess would be that WAF comes first, unless disabled (which you can do by page rules); but since you can actually disable WAF by page rules, then maybe page rules comes first?
rapha hurts itself in confusion
Joke aside, you could try and add a category to your post (maybe security) so maybe someone would be able to shed some light here.
This is correct, AFAIK.
Page rules are a little confusing, as the order in which they activate, in relation to other products, depends on what they affect. If you were to disable security features in a page rule, that would run before the security features and, hence, disable them. However, in this case, the redirect will happen after the request has passed through the firewall, including the WAF.
Actually, it looks like WAF isn’t applied on CF redirects. I just simulated a fake Googlebot visit (something WAF would block if the rule is enabled) to a site with WAF, and CF did redirect twice (the http > https redirect enforced by Always Use HTTPS, then naked domain to www., a page rule redirect) before blocking the visit.
So as far as the redirect page rule, it would definitely work without passing through WAF.
WAF applies to the subsequent request (the URL your page rule redirect to) if a bot is to follow it (some bots and tools are programmed not to follow redirects)
I expected the redirect to happen anyway too, but I tested it with a firewall rule which blocked me before the redirect could happen. I guessed that the WAF would be the same if firewall rules apply.
Firewall Rules always take precedence over the Managed Rules (WAF) and can explicitly disable them as well. The same is possible with Page Rules.