I have a few simple rules set up on one of our sites, and the rules never seem to work.
I have a rule that says :
(http.request.full_uri contains “wp-login”)
Show managed challenge.
I can hit the login page, and never see a challenge. I changed it to show legacy captcha, I never see that.
I also have a rate limiting rule for the same URL, and on 5 attempts from the same IP, show a managed challenge. I can hit this page 10+ times, and no challenge.
I even tried changing it to just block on both rules, I never see it block.
I was not aware that if the first rule doesnt block, no other rules will fire.
So here is what I think is a perfectly reasonable scenario.
I want to block bot traffic with a rule. If we get certain traffic from an IP, block.
Then I want to show a managed challenge on a certain page.
What you are saying is, if the first rule allows the traffic, the second rule wont apply.
I cant combine the rules, because the first one is to block, the second one is to show a challenge.
So essentially I can only have one rule at a time.
That doesnt seem right. There must be a way to run multiple rules?!
I think its a perfectly reasonable use case to want to run multiple rules and for them to evaluate one at a time. Surely people have wanted to run a blocking rule, and if users get past that, then show a challenge on certain pages?
But if you are saying that if the first rule is passed, other rules wont be run, then I wont be able to do what I want to do in Cloudflare.
I didn’t say that. I said if the first rule fires, subsequent rules won’t.
Anyhow, again, what’s the domain? And post screenshots of your firewall rule list as well as the firewall rules. Also, as I already asked, is it proxied? Are you sure you connect via Cloudflare at all?
So if you visit this site and are not in the allowed IP list, you will get blocked.
If you pass that, so you are in the allowed IP list, then the second rule says if you visit the wp-login page, show a managed challenge.
That second rule never happens.