Introduction
Cloudflare WAF (Web Application Firewall) rules are essential for protecting web applications from various online threats and vulnerabilities. These rules are designed to filter and monitor HTTP traffic between a web application and the Internet, providing a layer of security that helps prevent attacks such as SQL injection, cross-site scripting (XSS), and other OWASP Top Ten threats. Cloudflare WAF rules can be customized to meet the specific needs of a website, allowing administrators to create tailored security policies that block malicious traffic while allowing legitimate requests. By leveraging Cloudflare's global network, these rules are applied in real-time, ensuring that web applications remain secure and performant even under high traffic conditions.
WAF Custom Rules
One can define different types (custom, rate limiting etc) of rules in the WAF. However, the focus of this post is only on custom rules. Consider the following setup -
worker-1is a Single Page Application (SPA) created using newly introduced static assets feature of Cloudflare Workers. This SPA is exposed to the internet withweb1.mechcloud.devcustom domain.service-1is a REST API running as a container on an AWS Lightsail VM. It is exposed to internet withweb1-api.mechcloud.devcustom domain.worker-2is a Cloudflare Worker which contains server side code only. It represents another REST API which is exposed withapi1.mechcloud.devcustom domain but should be accessible fromservice-1REST API only.app1-dev1andapp1-dev2represent development environments ofapp1application which are exposed withapp1-dev1.mechcloud.devandapp1-dev2.mechcloud.devcustom domains respectively.
worker-1 and service-1 together represents production environment of an application and so these should be available to external users too. worker-2 is another production api which is meant to be accessible from service-1 only. Finally app1 development environments are meant to be accessed by internal users only.
Creating a WAF custom rule for above requirement
In order to make sure that dev environments are not accessible from IPs other than one belonging to the internal users we can create a custom WAF rule using following prompts -
List Accounts
list all account
We will start by listing all the accounts so we can use account names instead of account IDs in the next steps. This feature is called resource ID alias. It allows you to use easy-to-read resource names in a prompt, which are then replaced by the corresponding IDs before the prompt is executed. This makes it easy to remember a prompt and also helps identify which resources are being referenced. This is unlike resource IDs, which may cause a prompt to be executed in the context of the wrong resource. Here is a sample response of the above prompt -
In the response above, you'll notice that name column has a Prefix defined after its name. This indicates that the values in this column can be used as resource ID aliases, formatted as @<resource_prefix>|<resource_name>. For example, the resource ID alias for the MechCloud Academy account would be @Account|MechCloud Academy, which you can use wherever a resource ID is needed. You'll also see that the values in the id and name columns are underlined, meaning you can copy them to the clipboard by simply clicking on them.
You also have a switch to toggle between the raw response received from the Cloudflare API and a UI component that displays this raw response in a table format.
List Zones
Although Cloudflare has support for both account and zone level WAF custom rules, we will focus on zone level custom rules only because account level custom rules are available in enterprise plan only while zone level custom rules are available in all plans including free plan. A zone is nothing but the root domain which you can buy from either Cloudflare or any other domain registrar (in this case you will need to add the domain to Cloudflare dashboard manually).
List all the zones in the MechCloud Academy account using following prompt -
list all zones under '@Account|MechCloud Academy' account
List Rulesets
Now list all the rulesets in mechcloud.dev zone using following prompt -
list rulesets in '@Zone|mechcloud.dev' zone
As you can see in the table above, multiple built-in rulesets can have the same name (e.g., default). Therefore, we will identify a ruleset by the phase name it belongs to in the following prompts. You can read more about phases in the Cloudflare rules engine here.
Create a WAF Custom Rule
http_request_firewall_custom is the phase which WAF custom rules are linked to. So we will create our custom rule under this phase using following prompt -
Create a rule under '@ZoneRuleset|http_request_firewall_custom' ruleset of '@Zone|mechcloud.dev' zone with following details -
description - Block private applications from non personal ips
expression - "(not http.host in {\"web1.mechcloud.dev\" \"web1-api.mechcloud.dev\"} and not ip.src in $personal_ips)"
action - block
The prompt assumes we have created an IP list with the fixed IP addresses of the developers. Instead of listing custom domains for the worker-2 and app1 development environments, we have listed custom domains for the public web application and API using a negative expression. This approach is used because there will only be a few public web applications/APIs, while there will be many private APIs and web applications. This method is also convenient because new development environments and internal APIs will need to be set up occasionally, and it will automatically include these new web applications/APIs without needing to update custom domains in the expression above.
Getting Details of the Newly Created WAF Rule
You can get the details of the newly created custom rule using the following prompt, which lists the rules under a ruleset associated with the http_request_firewall_custom phase:
show details of '@ZoneRuleset|http_request_firewall_custom' ruleset under '@Zone|mechcloud.dev' zone
Deleting a Newly Created Custom Rule
Finally, you can delete the newly created rule using the following prompt:
delete '<rule_id>' rule under '@ZoneRuleset|http_request_firewall_custom' ruleset under '@Zone|mechcloud.dev' zone
While custom rules have descriptions, they do not have names, so we used the custom rule ID in the prompt above.
Demo
Conclusion
In conclusion, managing Cloudflare Zone WAF rules using the MechCloud REST Agent provides a robust and flexible approach to securing web applications. By leveraging custom WAF rules, administrators can tailor security policies to meet specific needs, ensuring that only legitimate traffic is allowed while blocking potential threats. The process of listing accounts, zones, and rulesets, as well as creating, retrieving, and deleting custom rules, is streamlined through the use of resource ID aliases and intuitive prompts. This not only enhances security but also simplifies the management of web application firewalls, making it accessible even to those on the free Cloudflare plan. By implementing these practices, organizations can effectively protect their web applications from a wide range of online threats, ensuring both security and performance.
Top comments (0)