WAF Not Active, cannot get rules to work

What is the name of the domain?

What is the issue you’re encountering

Under Security → WAF, I set a “Custom rule” that was supposed to block all traffic except for traffic from the United States. However, it did not work as all traffic is still allowed to access. Also WAF shows no firewall events or activity.

What steps have you taken to resolve the issue?

I changed it to block all traffic except for traffic from Albania. It still allowed me to access. DNS is proxied. Nameserver was changed to Cloudflare a couple of weeks ago so DNS has updated by now…
I also tried accessing from different browsers and devices incl. trying to access it with a VPN. When opening the site, it shows that Cloudflare is the server (incl. the Cloudflare’s IP).
I applied the same WAF rule to a different site and it worked just fine. This site I am having an issue with is an old Weebly site but I don’t think it should matter.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Just go to https://www.nabcgolfevent.org. If the site loads, the WAF rule is not working.

Here are a few screenshots: Imgur: The magic of the Internet While this website does not get much traffic (only a small group of people is visiting it when directed), I feel like a lot of the traffic does not get recorded by Cloudflare.

When going direct to the origin, it looks like Weebly is using Cloudflare in this case…

curl -I https://www.nabcgolfevent.org/ --resolve www.nabcgolfevent.org:443:199.34.228.69
HTTP/2 200
date: Tue, 09 Jul 2024 17:46:41 GMT
content-type: text/html; charset=UTF-8
cf-ray: 8a0a22854af9950b-LHR
cf-cache-status: BYPASS
cache-control: private
set-cookie: is_mobile=0; path=/; domain=www.nabcgolfevent.org
vary: X-W-SSL,Accept-Encoding,User-Agent
x-host: blu144.sf2p.intern.weebly.net
x-ua-compatible: IE=edge,chrome=1
set-cookie: language=en; expires=Tue, 23-Jul-2024 17:46:40 GMT; Max-Age=1209600; path=/
set-cookie: __cf_bm=wN7PpDxA6OXdmrVRkrFhNYFyTTF49oWWlvsZ7S2tl5k-1720547201-1.0.1.1-AZD6b3jBAX3JHEBSdGdXzXJLFuy7ePAuFpmU8idlfQacuGRXC8b_kFXFm47Trk8BvHnWqwKS41zJMsRe7v13aw; path=/; expires=Tue, 09-Jul-24 18:16:41 GMT; domain=.www.nabcgolfevent.org; HttpOnly; Secure; SameSite=None
server: cloudflare

As your records are proxied, we’re in this Cloudflare-Cloudflare (O2O) world where it’s not quite clear to me what actually works and what doesn’t. While guides have been published for some providers…

…I’m not sure whether this works for others, or for all SaaS providers, and for which features. If O2O is working, most features should pass through your account first, then the provider. (Previously it was direct to the provider, or “DNS only” had to be used).

Someone may know more.

(Also, your mail subdomain should be “DNS only” instead of “Proxied” if it’s for email traffic)

2 Likes

Thank you looking into this! Much appreciated. Yes, it looks like Weebly is using Cloudflare as well (at least for this site). So this could well be the reason why it does not work as expected. I could not find any O2O instructions for Weebly. If someone has them, that would be great.

PS: The mail subdomain was just a redirect from mail.nabcgolfevent.org to another URL. I removed the redirect for troubleshooting. Thanks for pointing it out though!

1 Like

Just for completeness, can you show a screenshot of the WAF rule.

1 Like

Certainly: Imgur: The magic of the Internet
I just however updated the WAF rule to block all traffic except for United States. (I only blocked all traffic for troubleshooting.) There actually were two blocked traffic requests from the United States (none from other countries) within the last hour. So, I want to make sure I don’t block it for real visitors…

I also talked to Weebly support. They confirmed that they are running Cloudflare and that it cannot be disabled on their end nor that rules can be added on their end. For the O2O stuff, they had no idea. :wink:

Edit to my previous post: The blocked traffic came through mail.nabcgolfevent.org. Imgur: The magic of the Internet
So seems like the WAF rules are completely inactive for nabcgolfevent.org and www.nabcgolfevent.org.

Maybe there is no resolution for this. But I very appreciate your input and help!