1 reply

Security WAF Rule to block requests that doesnt match full uri

I have the following rule on cloudflare Security WAF:

(http.request.full_uri ne "http://tunnel.xxx.com" and http.request.full_uri ne "https://tunnel.xxx.com")

(http.request.full_uri ne "http://tunnel.xxx.com" and http.request.full_uri ne "https://tunnel.xxx.com")

I also tried:

(http.request.full_uri ne "tunnel.xxx.com")

(http.request.full_uri ne "tunnel.xxx.com")

Checking the logs at

Security > Events

Security > Events

it doesnt show the full uri, just Host "tunnel.xxx.com" Path "/"

It should block any request that is not any of these uri

Im testing the rule with the following example request:

$headers = @{
    "X-Large-Header" = "A" * 1
    "User-Agent" = "WebSocket++/0.8.2"
    "Upgrade" = "websocket"
    "Connection" = "Upgrade"
    "Sec-WebSocket-Key" = "dGhlIHNhbXBsZSBub25jZQ=="
    "Content-Type" = "application/octet-stream"
}

Invoke-WebRequest -Uri "http://tunnel.xxx.com" -Method Get -Headers $headers -Verbose

$headers = @{
    "X-Large-Header" = "A" * 1
    "User-Agent" = "WebSocket++/0.8.2"
    "Upgrade" = "websocket"
    "Connection" = "Upgrade"
    "Sec-WebSocket-Key" = "dGhlIHNhbXBsZSBub25jZQ=="
    "Content-Type" = "application/octet-stream"
}

Invoke-WebRequest -Uri "http://tunnel.xxx.com" -Method Get -Headers $headers -Verbose

The rule is blocking the request, why?

I only have that rule active nothing else, turning it off the request succeeds, maybe at the WAF side the full uri is different?
How i could debug this issue?

Security WAF Rule to block requests that doesnt match full uri

I have the following rule on cloudflare Security WAF:

(http.request.full_uri ne "http://tunnel.xxx.com" and http.request.full_uri ne "https://tunnel.xxx.com")

(http.request.full_uri ne "http://tunnel.xxx.com" and http.request.full_uri ne "https://tunnel.xxx.com")

I also tried:

(http.request.full_uri ne "tunnel.xxx.com")

(http.request.full_uri ne "tunnel.xxx.com")

Checking the logs at

Security > Events

Security > Events

it doesnt show the full uri, just Host "tunnel.xxx.com" Path "/"

It should block any request that is not any of these uri

Im testing the rule with the following example request:

$headers = @{
    "X-Large-Header" = "A" * 1
    "User-Agent" = "WebSocket++/0.8.2"
    "Upgrade" = "websocket"
    "Connection" = "Upgrade"
    "Sec-WebSocket-Key" = "dGhlIHNhbXBsZSBub25jZQ=="
    "Content-Type" = "application/octet-stream"
}

Invoke-WebRequest -Uri "http://tunnel.xxx.com" -Method Get -Headers $headers -Verbose

$headers = @{
    "X-Large-Header" = "A" * 1
    "User-Agent" = "WebSocket++/0.8.2"
    "Upgrade" = "websocket"
    "Connection" = "Upgrade"
    "Sec-WebSocket-Key" = "dGhlIHNhbXBsZSBub25jZQ=="
    "Content-Type" = "application/octet-stream"
}

Invoke-WebRequest -Uri "http://tunnel.xxx.com" -Method Get -Headers $headers -Verbose

The rule is blocking the request, why?

I only have that rule active nothing else, turning it off the request succeeds, maybe at the WAF side the full uri is different?
How i could debug this issue?

Security WAF Rule to block requests that doesnt match full uri

Similar Threads

Security WAF Rule to block requests that doesnt match full uri

Similar Threads

Similar Threads

Similar Threads