WAF rules do not seem to take place

Hello all,

This is my first post so I hope I’m posting it in the correct place. I tried to search for an answer but couldn’t find anything really related, hence the post.

The problem I’m having is that WAF rules do not seem to take place.

My domain is on Cloudflare on the free plan. I have two subdomains defined as CNAME records.

Something like this:
CNAME api alb-aws-blah-blah-blah
CNAME app blahblahblah. cloudfront. net
Obviously the “blah blah” records are entered correctly. I’ve redacted this just for the post.

As far as DNS it works correctly. Both these records are proxied through Cloudflare (orange logo).

Now I’m trying to make some rules in the WAF which go like this:
uri contains app. mydomain. com/register
uri contains app. mydomain. com/login
uri contains app. mydomain. com/forgot-password
Managed challenge

(Sorry about spaces, it’s just not to make this a url)

However this doesn’t seem to take place. As a quick test, I tried adding the “forgot-password” url as a separate rule (after removing it from the first rule) and block that page temporarily (instead using challenge) to see if the rule takes place, but it doesn’t seem to work.

What am I missing?


Are you referring to http.request.uri? The expected value for this field shouldn’t contain the hostname, which seems you did include it:

I suggest you to do this instead:
(http.host eq "app.mydomain.com" and http.request.uri.path in {"/register" "/login" "/forgot-password"})

1 Like

Yes, that seems to work! Thanks a lot!


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.