GoKawiilBefore jumping into this article please take a look at the following Cloudflare ruleset and think for a while what is wrong with it?
I set up above rules and thought they would work like the following:
From the first glance it seems perfectly fine. Website administrator wants to challenge users opening the website to prevent bot traffic. Additionally he specifies a rule that blocks access to /metrics endpoint to prevent unauthorized access to Prometheus metrics. I was surprised when I enabled both rules and the this happened:
What is going on here?! The Block rule was never executed and anyone could access my precious /metrics endpoint! Let me explain what is going on. Cloudflare rules language consists of several Actions. Action is a result of a matching rule. As for now, for custom security rules the following actions are allowed:
Interactive Challenge
JS Challenge
Managed Challenge
Block
Skip
Log
... continue reading