Whitelist URL Path From Custom ASN Block SOLVED

I use the custom rules a lot in WAF / Custom Rules. I made a rule that has the action Block. One of the main offenders of bot issues is AMAZON-AES so adding a block on ASN: 14618 is a must for me. However, some services use it and one service uses a wide range of IPs. I have been trying to allowlist a URL string while still maintaining the action Block.

So one of my other Custon rules is Skip Used to be called Allow but I guess that changed. Anyway, in that rule, I already have one rule for IP Source Added | is in list | fullllist. Then for the second rule rule, I have “And” URL Path | equals | /example/name.php but that will not work.

So this is an example of the URL string: example.com/example/name.php?key=API&text=
After text= it’s always different. The rest is fixed.

I have tried the following with no success.

From looking in Events it’s still saying Access rules: ASN / Action taken
Block
Host: example.com
Path: /example/name.php
Query string: ?key=API&text=

I don’t want to remove that ASN number from the block but I do want the firewall to ignore the one URL API string so my webhook can make it though.

Adding the IPs it blocks to Tools / Action: Allow / This Website / Notes helps with those IPs getting through but that’s not how I want to do things.

Does anyone have an idea to solve this? NOTE: I am using the free service of Cloudflare.

Paths shouldn’t have hostnames.

You should look into URI or Path “Does Not Contain”, or a path combined with a query string check.

Something close to this should work:

If you paste in the raw Expression here, we can help you fine tune it. It’s ok to keep specifying example.com if you don’t want to share your domain name.

2 Likes

URL Path should be like example/name.php, not the example.com/example/name.php

URL Path should not contain query, nor scheme, nor host.
The path name begins with a single forward slash.
Example URI: https://example.com/path/to/myfile.html?key1=value1#somewhere

From the above example, /path/to/myfile.html → that’s what you need to include

Furthermore, remove the ASN from the IP Access Rules.
Create a WAF rule with “allow”, for requests if they match the ASN and URI Path contains /example/name.php, while 2nd rule should block all the requests from the ASN.
Or vice-versa. You could achieve it with the two WAF rules indeed.

Thanks for the reply guys, what is the correct way of doing it?

This one is set to skip because allow no longer exists.

And this one is set to block with my existing blocks. I did have more for this example, this is what I have.

Both are set like that currently.

If your “Lists” rule is first, that’s a good skip.

Your Bad Bots/ Full Block list doesn’t need the third part to block 14618 when the path contains example/name.php, because that’s already blocked by your AS Num list.

1 Like

Also quick note: I did have AS14618 in IP Access Rules as I saw blocks for Access rules: ASN. I pulled that one. So should be custom only now.

That’s going to block everybody except AS14618 who tries to access example/name.php (because of your earlier skip rule).

Do I even need to add that path at all in the “Bad Bots / Full Block” or is the skip fine the way it is and I can just leave the ASN block like this

I have checked, and the URL worked with the skip function as seen here. Thanks guys. Helped out greatly. I’ll monitor it for a while.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.