WAF Rules - Not Blocking Traffic

Website, Application, Performance Security
1

What is the name of the domain?

What is the issue you’re encountering

Traffic not being blocked

What is the current SSL/TLS setting?

Off

What are the steps to reproduce the issue?

The following WAF rules are implemented and enabled:

Name: Rule 1
Order: 1
Rule: (not (ip.geoip.country in {“AT” “BE” “BG” “HR” “CY” “CZ” “DK” “EE” “FI” “FR” “DE” “GR” “HU” “IE” “IT” “LV” “LT” “LU” “MT” “NL” “PL” “PT” “RO” “SK” “SI” “ES” “SE” “GB” “US”}))
Action: Block

Name: Rule 2
Order: 2
Rule: (ip.src.country ne “GB” and ip.src.country ne “US” and ip.src.country ne “FR” and ends_with(http.host, “.example.com”))
Action: Block

This should in theory allow traffic to the root domain for those locations specified in the rule, and block all other. The second rule to process should then prevent traffic from all but ‘GB’ ‘US’ and ‘FR’ for all subdomains.

Traffic allowed by rule one is being blocked (I can’t access from France)
Traffic blocked by rule two is being allowed (I can access for Australia)

2

Is this happening on “example.com” or on “something.example.com”?

That ends_with, when you have the “.” in front of your domain, → “.example.com” ← literally means that the rule will only apply to subdomains.

Such as e.g.“something.example.com”.

and ends_with(http.host, “.example.com”))” will NOT trigger on https://example.com (zone apex).

1 Like
3

Rule 2 - The traffic is being allowed to subdomains ie portal.example.com from countries not in the acceptable list (Australia, Germany etc).

Neither rule seems to be operating as expected, but I believe the syntax is correct.

5

Changed to match what you have posted, same exact issue. I can’t get to the root domain from AT, BE etc…

However I can get to subdomains from Russia and China!!!

6

Can you share screenshots of your Analytics logs?

7

I get it if you’re getting upset, but writing three ! will simply not help in anything.

8

I’m not getting upset. I just added the exclamation marks to emphasis that despite the rule in place the site is not blocking access for two quite concerning countries.

I have checked from various VPNs and:

(1) I cannot access the root domain from countries listed in the rule (which are to be allowed)
(2) I can access subdomains from countries I should not be able to (ie russia/china)

I’m not sure what else I can do.

9

I see.

But I’ll ask again, can you please share screenshots of your WAF analytics’ logs? :thinking:

10

I will share what I can, what specifically? (new to cloudflare so please bear me).

11

US_Traffic
US_Traffic1688×958 56.5 KB

A good example. Here is US traffic being blocked to the root domain.

12

Don’t worry about it. We’re here to help. :slightly_smiling_face:

Let’s try to fix this…

  1. Do you have any other rules in place?
  2. Is there anything else in the country blocking rule besides what you’ve posted?
  3. The block happens when you try to access the website without the xmlrpc path?
  4. The rule triggering is the rule you say you’re having trouble with?

analytics-1
analytics-11920×545 96.4 KB

analytics-2
analytics-21920×624 134 KB

13

Here are the two rules as implemented (multiple posts below due to image limit for new users).

This event shows the subdomain rule (rule2) blocking a request from France - but the traffic isn’t for subdomains, it’s for the root domain.

  • no other rules
  • nothing else in the rule
  • yes, if I just access example.com
  • yes
14

rule-1
rule-11874×1336 149 KB

15

rule-2
rule-21868×1328 134 KB

16

subdomain-block
subdomain-block1754×1412 170 KB

17

You’re accessing your subdomain with an IP from France, but your second rule only allows IPs from Ireland, Netherlands and United Kingdom to access it.

The first rule don’t block France, but the second block it.

You’ll need to allow France to access your website’s subdomain too.

18

Main domain and sub-domains are both proxied :orange: or some of them are unproxied :grey: (DNS-only)? :thinking:

Try using Hostname contains then write and/or rather list sub.example.com, otherwise you’ve got multiple subs to cover, then write multiple of them is in and trigger such Custom WAF Rule?

Furthermore, you could use combination where you triger X and allow it for example.com but not sub.example.com in 1st rule, while trigger Y and block it for sub.example.com while example.com for such request is normally allowed as required.

Or even to combine in 3 rules, where last one is a “catch-all” example.

E.g. Allow requests from Croatia and Germany to example.com don’t allow them to go to the portal.example.com sub-domain … http.host ne "portal.example.com" and http.host contains "example.com" and ip.src.country in {"HR" "DE"}

Then in 2nd rule you go to cover what you need, and 3rd one to catch all those which aren’t triggered by those two.

1 Like
19

Looking at the request URL it wasn’t a subdomain they tried to access from France, it was the route domain www.example.com and so therefore should have been allowed?

20

But on the screenshot you’ve sent, the host has www.
If your rule is configured to catch .example.com, it will also catch www.example.com, us.example.com, something.example.com, sftp.example.com, etc…

21

So I would need to exclude www. and that would then include all other subdomains.