we have so many requests on our server for none existing resources
and Cloudflare don’t block them
we try to define a waf rule like:
http.response.code == 404
but we con not, Cloudflare do not allow such a rule…
this is very easy that to handle this on our firewall if we do not use Cloudflare
so, this is crazy that Cloudflare have not a simple tool like this…
If you have any solution, then please help us
because WE ARE UNDER ATTACK
But, do not tell me, that we must pay more to cloudeflare (our plan is pro)
because this is very simple waf rule!!!
Hi,
Your origin server firewall can tell whether or not a resource is present. Cloudflare edge cannot, not until the request returns from the origin, at which point it makes little sense to block.
You can craft a rule in WAF to challenge any request that is not a real frontend path in your installation.
not cf.client.bot and
not http.request.uri.path in {"/path-1" "/path-2" "/path-3" etc.}
then Managed Challenge
Since a WAF Custom Rule is limited to 4kb, such a rule won’t be able to include all your legit paths unless your website contain a very limited number of them. However, if you are under attack, you should adapt a “house under fire” mindset and perhaps try it, by adding to the rule the most visited paths, and accepting that legit visitors will be challenge for not-so-frequently requested paths.
I am totally with you - I filed a feature request for it, please vote for it there
tanx for response.
I see, and our plan is business
but I can not find a sample syntax for http.response.code in docs
and when I use for sample http.response.code == 404 in rule syntax then the cloud-flare return ERROR…
So, can you share sample syntax for detecting http response code?
As has already been explained, if your origin has already responded with a 404, then it’s already given an error to the client, there’s no need for Cloudflare to report a different error.
If you want to reduce all this scanning for URLs cruft, we deal with this by…