Is it possible to calculate a AWS-HMAC-SHA256 signature using a WAF rule? https://docs.aws.amazon.c

Is it possible to calculate a AWS-HMAC-SHA256 signature using a WAF rule?

https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#create-signature-presign-entire-payload

Signature Calculations for the Authorization Header: Transferring P...

Authenticate requests using the HTTP authorization header to compute a checksum for smaller payloads.

D5•3/31/24, 10:16 PM

How I can report a typo/bad translation in Cloudflare translations?

D5•3/31/24, 10:17 PM

The new WAF challenge window translation says in my lang something like "Verification you're a human" instead of "Verifying you're a human" (that is the current phrase in english)

D5•3/31/24, 10:20 PM

So it fells weird

DD5 The new WAF challenge window translation says in my lang something like "Verific...

Erisa•3/31/24, 10:30 PM

Could you share which language, and what the current & expected translations are? I can pass it along

daveOP•3/31/24, 11:59 PM

why does the

http.request.uri.args["ttl"][0]

http.request.uri.args["ttl"][0]

not work?

(http.host eq "example.com" and not is_timed_hmac_valid_v0("removed", http.request.uri, http.request.uri.args["ttl"][0], http.request.timestamp.sec, 8))

(http.host eq "example.com" and not is_timed_hmac_valid_v0("removed", http.request.uri, http.request.uri.args["ttl"][0], http.request.timestamp.sec, 8))

Ddave Is it possible to calculate a AWS-HMAC-SHA256 signature using a WAF rule? https...

Karew•4/1/24, 1:30 AM

I don’t think so, the WAF doesn’t have access to your R2 tokens

KKarew I don’t think so, the WAF doesn’t have access to your R2 tokens

daveOP•4/1/24, 1:31 AM

all good, I ended up just doing a regular HMAC rule.

chientrm.com•4/1/24, 2:41 AM

ohm, I can't

Add domain

Add domain

more in my Access -> Applications

Tony Leung•4/1/24, 3:36 AM

hi guys, is there anyway to add

CORP

CORP

header to

.cloudflareaccess.com

.cloudflareaccess.com

preflight response?

EErisa Could you share which language, and what the current & expected translations are...

D5•4/1/24, 5:06 AM

Spanish.

Current translation:
Verificar que usted es un ser humano

Expected:
Verificando que usted es un ser humano

DD5 Spanish. Current translation: Verificar que usted es un ser humano Expected: ...

Erisa•4/1/24, 7:50 AM

Thanks!

DD5 Spanish. Current translation: Verificar que usted es un ser humano Expected: ...

Erisa•4/1/24, 8:32 AM

I passed this to the challenges team and they will fix the translation, thanks for your help

chientrm.com•4/1/24, 10:14 AM

It doesn't work

Cchientrm.com It doesn't work

Erisa•4/1/24, 11:50 AM

do you have a proxied DNS record?

Oom When are posts releasing? What time

Hello, I’m Allie!•4/1/24, 12:20 PM

Probably https://discord.com/channels/595317990191398933/1224053373532110949/1224281182666227722

daveOP•4/1/24, 1:07 PM

Do modified response headers resulting from a transform rule get cached?

Tony Leung•4/1/24, 2:21 PM

hi guys, how can I add CORP header to

.cloudflareaccess.com

.cloudflareaccess.com

response? My page is serving some assets from R2 custom domain and both of them are guarded by CF Access. Normally when I logged into my page (via zero trust) then content from R2 custom domain will automatically be authorized too. But now since my page has some requirements which needs COEP header to be

require-corp

require-corp

, I cant automatically authorize access to R2 domain anymore but manually going to that R2 domain then verify because the

.cloudflareaccess.com

.cloudflareaccess.com

domain does not contain CORP header

Tony Leung•4/1/24, 2:23 PM

this problem used to happen with turnstile but it was fix a while ago

daveOP•4/1/24, 2:23 PM

@Chaika r2

Do you think I could turn this into a redirect rule instead of a Worker?

I wish there was a way to use

cf.colo.region

cf.colo.region

.. that would make life so much easier.

Tony Leung•4/1/24, 2:24 PM

it's really inconvenient to force users to goto R2 custom domain.

Ddave @Chaika https://discord.com/channels/595317990191398933/940663374377783388/12229...

Chaika•4/1/24, 2:25 PM

lol yea it'd be nice. We don't even have colo name in ruleset engine atm

CChaika lol yea it'd be nice. We don't even have colo name in ruleset engine atm

daveOP•4/1/24, 2:25 PM

we actually do have

cf.colo.id

cf.colo.id

it seems

Chaika•4/1/24, 2:25 PM

yea but not name

Chaika•4/1/24, 2:25 PM

id is just the numerical number assigned, not the iata airport code

Chaika•4/1/24, 2:26 PM

you could potentially make an auto updating redirect rule using that though

CChaika yea but not name

daveOP•4/1/24, 2:26 PM

I couldn't figure it out, but couldn't we use lookup_json_string to convert the id to a name?

Ddave I couldn't figure it out, but couldn't we use lookup_json_string to convert the ...

Chaika•4/1/24, 2:27 PM

what would you be looking up off?

Chaika•4/1/24, 2:27 PM

like hardcoding the entire json list of colos, and then looking up for region?

CChaika like hardcoding the entire json list of colos, and then looking up for region?

daveOP•4/1/24, 2:27 PM

yes

CChaika id is just the numerical number assigned, not the iata airport code

daveOP•4/1/24, 2:27 PM

hmm, doesn't

substring(cf.ray_id, 17)

substring(cf.ray_id, 17)

get you most of the way there?

daveOP•4/1/24, 2:28 PM

I get MIAMIA for my location.

Original message was deleted

daveOP•4/1/24, 2:28 PM

it seems to complain that the json isn't dynamic too

Chaika•4/1/24, 2:29 PM

I think the end problems are the same though, what if it's a brand new colo not in that list?

Chaika•4/1/24, 2:30 PM

snippets would be a nice solution for this lol, one day

Chaika•4/1/24, 2:30 PM

not everything would nicely follow redirects either

CChaika I think the end problems are the same though, what if it's a brand new colo not ...

daveOP•4/1/24, 2:31 PM

hmm, is there a function to use that would fallback to a default region?

Chaika•4/1/24, 2:31 PM

if json lookup worked you could maybe embed the json in both the match and the replace to check if it exists first.

Original message was deleted

daveOP•4/1/24, 2:32 PM

bahaha I was thinking that too lol

Chaika•4/1/24, 2:32 PM

would need biz or higher though lol

daveOP•4/1/24, 2:32 PM

I want to ideally stick to pro-only things

Original message was deleted

daveOP•4/1/24, 2:33 PM

oh, that's an interesting idea

daveOP•4/1/24, 2:33 PM

hang on

daveOP•4/1/24, 2:33 PM

can't I do this with the substring and make it even easier?

daveOP•4/1/24, 2:34 PM

one sec

Chaika•4/1/24, 2:35 PM

I hate how restrictive the ruleset engine is lol

Chaika•4/1/24, 2:35 PM

so close so being super flexible and then it kneecaps itself

daveOP•4/1/24, 2:35 PM

substring(cf.ray_id, 17) in {"MIA" "EWR"}substring(cf.ray_id, 17) in {"MIA" "EWR"}

daveOP•4/1/24, 2:35 PM

this saves!

Is it possible to calculate a AWS-HMAC-SHA256 signature using a WAF rule? https://docs.aws.amazon.c

Similar Threads

Similar Threads

Similar Threads