i have REGEX problem with WAF.

I want to block URI like that: /?12345678=87654321
NOT like that: /go/ajax/checkUser.php?username=8charusr

when my WAF is set like that:
(http.request.uri matches "^/\\?[a-zA-Z0-9]{8}=[a-zA-Z0-9]{8}$")
both URI are blocked

I tested my regex on tester, and it is correct - but CloudFlare does not apply block rule.

Do I have to escape “?” char? Tried to do that, without success :frowning:

Regex: http://regexr.com/4f3fh

Thats the known double escape issue in the editor *)

Dont use the expression builder but manually edit it and specify the following

(http.request.uri matches "^/\?[a-zA-Z0-9]{8}=[a-zA-Z0-9]{8}$")

Alternatively this should work with the builder too

(http.request.uri.path eq "/" and http.request.uri.query matches "^[a-zA-Z0-9]{8}=[a-zA-Z0-9]{8}$")

*) The problem is the builder does not take into account that the backslash could actually be escaping a character but always believes it actually needs to escape the backslash itself, so instead of an escaped/literal question mark you end up with an optional backslash character.


Oh God, thank You!
Fight with that few hours, event edit directly in manual edit. No luck.

It works right now :smiley: