Spike - Investigate Cloudflare Firewall
Overview
Results from a spike looking into cloudflare firewall rules for GraphQL. The aim of the spike is to review firewall rule/zone lockdowns set up in cloudflare and potential work to be done regarding the new implementation.
Firewall rule and zone lockdowns for GraphQL
- Rapha.cc:
- Firewall rule:
The rules we are concerned about are:
http.request.uri.path contains "/graphql/"http.request.uri.path contains "/raphacommercewebservices/"http.request.full_uri contains "raphacommercewebservices"http.request.uri.path contains "/search/"http.request.uri.path contains "/category/jerseys/allresults"
which would give use access to the GraphQL hybris endpoints defined here:
The rule bypass the zone lockdown (which allows user to dynamically disable Cloudflare security features for a request) and the WAF managed rules (which identifie and remove suspicious activity for HTTP GET and POST requests).
Question
Shouldn't we have something like -> /category/${pageCategory}/allresults rather than just /category/jerseys/allresults?
- Zone lockdowns:
Zone Lockdown specifies a list of one or more IP addresses, CIDR ranges, or networks that are the only IPs allowed to access a domain, subdomain, or URL. Zone Lockdown allows multiple destinations in a single rule as well as IPv4 and IPv6 addresses. IP addresses not specified in the Zone Lockdown rule are denied access to the specified resources.
A zone lockdown as been created for 35.234.133.207 under the ALPHA BLOCK and UAT Block zone lockdowns - one of UAT EIP. No zone lockdowns were created for 35.241.20.180 - the second UAT EIP as well as for 35.242.180.235 and 35.244.163.141 - the 2 Prod EIPs.
Question
Should we create a zone lockdown for 35.241.20.180 as well as the Prod EIP’s - 35.242.180.235 , 35.244.163.141 and then bypass the zone lockdowns in a firewall rule?
How to modify if needs be?
Zone lockdown are located under Security -> WAF -> Tools then Zone Lockdown.
Firewall rules are located under under Security -> WAF -> Firewall rules.
--