WAF rules not working!

brett.howells · November 4, 2022, 8:05pm

I have a few simple rules set up on one of our sites, and the rules never seem to work.
I have a rule that says :
(http.request.full_uri contains “wp-login”)
Show managed challenge.

I can hit the login page, and never see a challenge. I changed it to show legacy captcha, I never see that.

I also have a rate limiting rule for the same URL, and on 5 attempts from the same IP, show a managed challenge. I can hit this page 10+ times, and no challenge.
I even tried changing it to just block on both rules, I never see it block.

What am I doing wrong here?

sandro · November 4, 2022, 8:28pm

Are you sure the DNS entry in question is proxied? What’s the domain?

sandro · November 4, 2022, 9:04pm

Assuming you are referring to compare.com, then that URL would be properly blocked

And not a bad domain

brett.howells · November 7, 2022, 4:03pm

No this isnt for that domain. Its for our internal test environment.
I just tested the block again, still doesnt work.

(http.request.uri contains “wp-login.php”) = Managed Challenge.
Even tried just adding a block. I can access the page every time without a challenge.

sandro · November 7, 2022, 4:06pm

brett.howells · November 7, 2022, 4:25pm

I have an IP block in front of this rule, as it is a locked down test environment. So you will be blocked no matter what by that rule.
The issue I have is with the second rule in the list.

sandro · November 7, 2022, 4:26pm

Then it may be your rule order, only the first applicable rule fires.

Make sure the DNS entry is proxied and the rules have the right order and it will work without issue.

brett.howells · November 7, 2022, 4:46pm

I was not aware that if the first rule doesnt block, no other rules will fire.

So here is what I think is a perfectly reasonable scenario.
I want to block bot traffic with a rule. If we get certain traffic from an IP, block.
Then I want to show a managed challenge on a certain page.

What you are saying is, if the first rule allows the traffic, the second rule wont apply.
I cant combine the rules, because the first one is to block, the second one is to show a challenge.
So essentially I can only have one rule at a time.
That doesnt seem right. There must be a way to run multiple rules?!

sandro · November 7, 2022, 4:47pm

Don’t use an allow rule but configure your expression to only block requests which do not match your address.

brett.howells · November 7, 2022, 4:50pm

My rule order is :
Block if not from a known IP
Managed challenge if request is to the wp-login page

So if I dont get a block from the first one, the second doesnt run.

sandro · November 7, 2022, 4:53pm

No, but if the first rule fired the second one would not. But that should not apply here.

You really need to provide more information on your setup, otherwise it is impossible to advise you.

brett.howells · November 7, 2022, 4:58pm

I’m not sure what else you need?

I think its a perfectly reasonable use case to want to run multiple rules and for them to evaluate one at a time. Surely people have wanted to run a blocking rule, and if users get past that, then show a challenge on certain pages?

But if you are saying that if the first rule is passed, other rules wont be run, then I wont be able to do what I want to do in Cloudflare.

sandro · November 7, 2022, 5:00pm

I didn’t say that. I said if the first rule fires, subsequent rules won’t.

Anyhow, again, what’s the domain? And post screenshots of your firewall rule list as well as the firewall rules. Also, as I already asked, is it proxied? Are you sure you connect via Cloudflare at all?

brett.howells · November 7, 2022, 5:07pm

I am not sure what you mean by the proxy. We use Cloudflare for this site. It is set up correctly, all our traffic goes through Cloudflare.

The domain is www.comparequalitytest.com
The rules I have are as follows -

So if you visit this site and are not in the allowed IP list, you will get blocked.
If you pass that, so you are in the allowed IP list, then the second rule says if you visit the wp-login page, show a managed challenge.
That second rule never happens.

sandro · November 7, 2022, 5:10pm

Also screenshots of

You can redact the whitelisted IP address if you want.

brett.howells · November 7, 2022, 5:13pm

The IP’s are in a list anyway. But those are the two rules.

sandro · November 7, 2022, 5:20pm

All right, can you temporarily disable the blocking rule?

sandro · November 7, 2022, 5:23pm

And check if your DNS entries are all set to .

brett.howells · November 7, 2022, 7:26pm

Ok disabled the blocking rule. DNS entries are all correct.
I did see the challenge pop up on the first try at hitting wp-login. It hasnt popped up again, but I am guessing it now knows my IP.

sandro · November 7, 2022, 7:30pm

Challenge worked as expected

Did you maybe whitelist your address with the IP access rules?