WAF Hmac custom rule blocks valid requests

cloud48 · January 22, 2025, 12:54am

What is the name of the domain?

dev.media.otiumz.com

What is the error message?

403 request blocked

What is the issue you’re encountering

valid requests are blocked by WAF Hmac custom rule

What steps have you taken to resolve the issue?

retry the request, sometimes it works, sometimes it doesn’t. I looked at security events, it doesn’t tell the specific reason why it fails

here is the rule details:

(http.host eq “dev.media.otiumz.com” and not is_timed_hmac_valid_v0(“secretKey”, http.request.uri, 10800, http.request.timestamp.sec, 8))

What is the current SSL/TLS setting?

Full

fritex · January 22, 2025, 10:39pm

At first sight, may I ask if you’re using Advanced Certificate Manager for such deep-level sub-domain case? Universal SSL doesn’t cover that and you’d have to purchase ACM:

Below article is the source where you’ve went to cross-check and used as a reference?

cloud48 · January 24, 2025, 1:27am

Hi,

This subdomain points to R2 bucket, so advanced certificates don’t apply in this case, as stated in the url you provided:
“Advanced certificates are not used with [Cloudflare Pages] nor [R2] due to [certificate prioritization]. Both Pages and R2 custom domains use Cloudflare for SaaS certificates.”

Rule logic and request data are correct, If I send same request, sometimes it works, sometimes it doesn’t.

Thank you

system · February 8, 2025, 1:28am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Zone > WAF > custom rules don’t block requests Security	10	46	January 6, 2025
WAF custom rule doesn't seem to work Security	2	43	January 19, 2025
Cloudflare waf blocked all of my request to my server Security	8	396	December 9, 2024
Cloudflare does not acknowledge WAF rules DNS & Network	5	19	March 12, 2025
WAF HMAC without timestamp Rules	1	993	March 31, 2023