WAF not working as expected

I’m trying to block one of my subdomain (in the screenshot I’ve put it as domain.com as an example) from any IPs except mine, and this is the rule I have in WAF:

but for some reason, it’s blocking every IP, why would this be?

Do you have any other rule in place? As it is in your screenshot, your rule should block no one, as the second directive won’t ever match. (URI Full will never be equal to your domain name, as the example in the screenshot shows.)

Please check the documentation concerning Firewall Rules fields, and edit your rule accordingly. You should either change the operator to “contains”, or change the field from URI Full to Hostname.

Actually apologies, I have it “contains”, that screenshot was just a quick mock up. So yes, it blocked everyone, which was weird to not block me

I’m not sure I understand your question. You wanted to block everyone except your own IP address. The rule seems to be doing exactly that. What’s weird about it?

By “blocking very IP”, I actually meant mine too, it’s blocking everything including mine

Your rule should include both your public IPv4 and IPv6 addresses. If you search online “what’s my IP address” it may respond with only your IPv4 or IPv6, and perhaps Cloudflare is receiving the other one. Also, IPv6 changes from device to device, so you may need to add more than one IPv6 if that’s the case.

On the other hand, a Zero Trust Access policy may be a better alternative to do what you want. Simply add an Access policy for the whole subdomain, with an “allow” rule for your IP address(es).

Your rule should include both your public IPv4 and IPv6 addresses
Oh good catch, I didn’t think about that.

As for Zero Trust Access policy thing, I believe it wants me to pay or add payment method and use the $0/mo version?

The free version of Zero Trust does still require payment information, yes. The free plan is completely free though, you won’t be unexpectedly upgraded or anything. I believe the purpose is just trying to prevent abuse.

1 Like

Apologies for the late reply, but I couldn’t figure out how to properly setup Zero Trust Access policy, the one I set up made it show like “enter an email address to get code” for everyone whenever that domain is accessed, which idk if is right, the way I wanted it was: allow me and block everyone else, no expections, would that be possible?

I’m sorry, I thought Access would accept an “allow” policy based on IP only, but that doesn’t seem to be the case. Change the action from “allow” to “bypass”, and add the IP number as an “include”. Remove any group you may have created. That should work. (If you start getting errors, just delete your current Access application and create a new one)

Okay that works fine, thanks! But it only works if I allow my ipv4 + ipv6, my ipv4 changes thanks to my ISP not providing static IP so I allow a bit more ranges of IPs usually, like x.y.z.0/24, I don’t really want to do it for ipv6 too, is it possible to just care about ipv4 somehow?

Bypassing IPs should preferably be done with IP addresses you fully control. If you depend on your ISP’s policy, you may prefer to forgo IPs altogether and just create the initially suggested allow policy, and use an email for authentication. You can set how long the session last, and as long as you have full control of your email address (secure password, 2FA etc.), you should be pretty safe. It’s the method I use, for the same reason (I don’t have access to a fix IP address.)

If you think the trade-off between security x convenience justifies using IP, the reasonable way to avoid IPv6 is to disable it at your own computer.

Alright I’ll use that way then, but idk how to use it properly, because it asks for email to send code, but it never does, am I missing something?

You need to create a group, add your email address to that group, and use the group in the Allow policy. You can use Gmail, in which case you’ll use Google’s own authentication routine (easier), or your own email, in which case you should receive a PIN.

So I added a group, set “Emails” and set my email there, then went to applications, selected this group to allow, then another one that blocks everyone, so I now have 2 policies, 1 ALLOW that allows the group, 1 BLOCK that blocks everyone, I went in and entered my email and it still doesn’t send me any code, I’m not sure why that could be

You do not need this. The Allow policy will allow as directed and block everyone else.

I don’t understand it. Just tested with my free-plan domain and it’s working as expected, sends the email right away. Have you checked Spam/Promotion/Social etc. folders?

It works now, thank you!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.