WAF rules on .pages.dev domain
I have noticed that WAF rules for a custom page domain apply to it, but can be bypassed via the .pages.dev subdomain, as they do not apply there. Is there a way to apply the WAF rules there as well, since it is not possible to disable the .pages.dev domain.
The WAF rules for my page custom domain are quite useless if they can be bypassed via the subdomain.
(If there was already something about this topic and I have not found it here, sorry)
16 Replies
You can’t use WAF on pages.dev but you can disable it by putting access in front of it https://developers.cloudflare.com/pages/platform/known-issues/#enabling-access-on-your-pagesdev-domain
Known issues · Cloudflare Pages docs
Here are some known bugs and issues with Cloudflare Pages:
the last time I did this (for
mypage.pages.dev
), my custom domain was also affected by this policy (for the deployments under *.mypage.pages.dev
I already have access policies)
but I will try againif I create the rule like this, my custom domain will also be blocked
oh okay, my bad https://cdn.f3lix.net/d/GMzCGEvT
any ideas? (custom domain, allow everyone) https://cdn.f3lix.net/d/uWvkcgIB
Try removing the domain that doesn't have the the
*
but this is the domain I want to protect? (
mypage.pages.dev
)Are you doing this manually or through the pages?
so i want to protect this:
mypage.pages.dev
*.mypage.pages.dev
but not this one:
mypage.com
but with the rule for the .pages.dev domains also
mypage.com
is protected. if i create a second application for the custom domain i will still be asked for auth despite allow/bypass everyonecreated via page settings https://cdn.f3lix.net/d/gBkMhEuc
Weird just deleted and re-setup and seeing the same behavior when it was fine before.
Do you want your Pages.dev to be accessible?
If so, you can use https://developers.cloudflare.com/pages/how-to/redirect-to-custom-domain/
Redirecting *.pages.dev to a Custom Domain · Cloudflare Pages docs
Learn how to use Bulk Redirects to redirect your *.pages.dev subdomain to your custom domain (example.com). You may want to do this to ensure that …
^ I was wrong. You can't access the root level
pages.dev
while allowing the custom domain. You just redirect the root level oneAnd you can even make it redirect all of the branches and individual releases too, if you tick Include Subdomains