WAF rules for WARP users

we have a rule to only allow certain list of ip addresses to reach our web app, like:
not ip.src in $ipblock
then block

now if a user starts to use warp, what’s the best way to handle that case?

there’s http.x_forwarded_for but that could be from any proxy which may not be trustworthy. also that can’t be compared to a list, at least not in the free version.

is there some equivalent to securely check the origin ip in a waf rule, and only allow direct access or warp access for a certain list if ip’s?

There’s no WAF option to look at WARP connected users.

Assuming the WARP users are all in your zero trust organisation, it’s easy just to add the application to zero trust and have users enter that way, then they can access securely with or without WARP.

If you want WARP just to give access without a login page, then it’s best to have create a Cloudflared tunnel with a local resolver on a private IP range combined with Local Domain Fallback and Split tunnels so you can resolve something like ourwebapp.internal.example.com to 192.168.x.x, then that webapp can only be accessed over WARP or the office LAN.

a good solution, but unfortunately not all users are or can be in our zero trust org.

for regular warp, i suppose one can instruct the warp users to exclude the web app’s ip in the settings, but that may be difficult for some of them to digest.

perhaps one way to handle warp users would be to allow all cloudflare proxy ip’s and also validate CF-Connecting-IP.

can the CF-Connecting-IP header be checked in a waf rule and would the approach be relatively secure? this is not a national security web app but still would like to keep out the snoopers as much as possible.

If your WARP users are not in a zero trust organisation then, even if it was possible, it’s not safe to allow access to general WARP users as that could be anyone!

For the same reason, just allowing them by Cloudflare IP is a bad idea, it could be any WARP user, Cloudlflare worker, or any Cloudflare proxy user accessing your site.

Just to add, if this is just to remove some of the internet noise (scans and probes) from your webapp, then you could block anything not from AS13335 or AS132892. But it’s not a secure solution, just a noise reduction one; it would still be possible for someone not from your organisation to reach the webapp. In my opinion a site should be assumed public or enforced private, not in between.

1 Like

thanks, final decision was to split tunnel exclude the host. bit of a pain but will guide the warp users over the phone or something.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.