WAF custom rule doesn't seem to work

Website, Application, Performance Security
1

What is the name of the domain?

tuyen.me

What is the issue you’re encountering

I created WAF custom rules but it doesn’t seem working

What steps have you taken to resolve the issue?

I setup only one WAF rule but it doesn’t seem to work:
First part of the rule: block sensitive paths and file extensions.
Second part: block every request those:

  • doesn’t come from VN
  • doesn’t come from Cloudflare ASN
  • doesn’t has valid mTLS
  • not Chrome browser
  • with one exeption is /robots.txt.

Rule:

(
  (ends_with(http.request.uri.path, ".php"))
  or (ends_with(http.request.uri.path, ".php7"))
  or (http.request.uri.path contains "/.aws")
  or (http.request.uri.path contains "/.env")
  or (http.request.uri.path contains "/.git")
  or (http.request.uri.path contains "/.vscode")
  or (http.request.uri.path contains "/wp-admin/")
)
or (
  (
    (ip.src.country ne "VN")
    or (ip.src.asnum ne 13335)
    or (not cf.tls_client_auth.cert_verified)
    or (not http.user_agent contains "Chrome/")
  )
  and (http.request.uri.path ne "/robots.txt")
)

Action: Block

It also doesn’t work.if I split above rule into multiple smaller ones.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

  1. Add the above rule.
  2. Bot Fights and AI Bot Fights are off.
  3. Visit: http://www.tuyen.me/wp-admin/xmrlpc.php

Actual: Still reachable. I have page rule to redirect all URLs to other domain.
Expectation: Should show 403 page.

2

Hi there,

I’ve reviewed your custom rule settings, and they differ from what you’ve shared here.

The allowed requests that were not blocked were aligned with the rule settings you’ve configured. You might want to simplify the rules and cross-check them with the requests in Security > Analytics.

This guide should clarify things and help you understand rule expressions:

2 Likes
3

Hi @syda,

I think marking this question as resolved might have been a bit hasty. While I updated the second part of the IF condition, the first part remains unchanged. The rule still blocks all requests ending with .php:

(
  (ends_with(http.request.uri.path, ".php"))
  or (ends_with(http.request.uri.path, ".php7"))
  or (http.request.uri.path contains "/.aws")
  or (http.request.uri.path contains "/.env")
  or (http.request.uri.path contains "/.git")
  or (http.request.uri.path contains "/.vscode")
  or (http.request.uri.path contains "/wp-admin/")
)
or (
  (
    ((ip.src.country ne "VN") and (not cf.tls_client_auth.cert_verified))
    or (ip.src.asnum ne 13335)
    or (not http.user_agent contains "Chrome/")
  )
  and (http.request.uri.path ne "/robots.txt")
)

Additionally, if you’re not browsing the URL from Vietnam, not using Chrome, or not accessing from the Cloudflare ASN, the above rule should block access to http://www.tuyen.me/wp-admin/xmrlpc.php under every possible condition.

I tested each of these conditions and even combined them all, but the URL is still accessible, as in the below screenshot:

image
image1441×572 23.3 KB

I updated the second part because the original rule didn’t work, but the updated version doesn’t seem to work either.

Could you kindly help me to look into the updated rule one more time, please?