WAF rules not working, is CF security a big joke?

Hi,

First of all, I have a paid plan and the support doesn’t help at all. 0/5 customer service.

Now let’s get into the error. I spent big money for security experts to fine tune my security as I’m targeted a lot for attacks, and all of a sudden the WAF just completely stopped working on my domain.

All the rules below generates thousands of logs on a daily basis and now it’s just not working at all, my website is not protected and cloudflare isn’t doing ANYTHING to help.

I tried to update the rules, turn off/wait a bit/turn on, nothing works. The DNS is proxied and on top of everything: I did not touched anything in the settings for multiple weeks.

Rule 3 would be the first to look at, since it is a skip rule with the highest number of matches and nothing hits below it. Can you show the detail for that rule?

2 Likes

Hello @srj and thank you for spotting this obvious issue here.

It checks for the following:

all(http.request.headers["x-api-key"][*] ne "")

It’s supposed to let by only requests with the x-api-key header, but I’m not convinced now that ne “” is interpreted as NOT NULL.

The problem with that expression is that it is true when the header does not exist.

all(http.request.headers["x-api-key"][*] ne "")

This matches if, for all occurrences of the x-api-key header, it is not Null. This is satisfied by it not appearing.

What do you want? Block all requests that don’t have the correct header, or allow all requests that have the correct header?

This expression would check that the header actually exists:

(any(http.request.headers.names[*] == "x-api-key")
and
all(http.request.headers["x-api-key"][*] ne ""))
2 Likes

Hello, thank you for the precision. I tried the expression you provided but it says it’s invalid.

The expression worked for me. I added linebreaks here for better readability that you’d have to remove before using it.

Sorry but for me it doesn’t work:
2024-05-07_14h11_48

Pressing “Use expression builder” tries to convert the expression you have entered into the field/operator/value drop downs that appear by default. Since http.request.headers.names isn’t in the drop down, you can’t do that (which is what the message box is trying to tell you). Just enter the expression as you have done and press “Deploy”.

Just double check your hyphens are hyphens by deleting and re-typing them, they look a little short so just make sure they are ASCII and not some Unicode dash that’s been created during copy and paste.

2 Likes

Brilliant. I had no idea some of the rules weren’t compatible with the builder.

Here is what I have with the other part of the rule I needed. I could deploy it.

(http.request.uri contains "/api/v1.0/Server/") 
or
(
  any(http.request.headers.names[*] == "x-api-key") 
  and 
  all(http.request.headers["x-api-key"][*] ne "")
)

Now that I think about it, this could really be simplified to:

(any(http.request.headers["x-api-key"][*] ne ""))

Not tested, but it only makes sense.

I didn’t think of this initially because in my mind, all() was “obviously” more strict than any(). But if I actually think about it, it’s not.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.