WAF custom rules and security events

Scenario

A customer has an exposed admin path and wants quick edge protection without changing the application. The goal is to block or challenge access before the request reaches the origin or application.

Objective

Create a Cloudflare WAF custom rule that protects /admin by blocking untrusted requests while allowing access from a trusted source IP placeholder, TRUSTED_SRC_IP. Validate that the edge rule blocks unauthorized requests, confirm Cloudflare enforced the policy at the edge, and use Security Events to identify which rule matched.

Outcomes

• Created a WAF custom rule for the exposed admin path.
• Matched requests where the URI path starts with /admin.
• Applied a blocking action at the Cloudflare edge.
• Validated the block using curl.
• Confirmed that Cloudflare returned the security response before application handling.
• Reviewed Security Events to prove the rule fired.

Environment / Build

• Zone: ybarra-cflab.com
• Protected hostname: www.ybarra-cflab.com
• Protected path: /admin
• Cloudflare product area: Security → WAF → Custom rules
• Rule name: Restrict admin lab path by trusted source IP
• Expression: (starts_with(http.request.uri.path, "/admin") and ip.src ne TRUSTED_SRC_IP)
• Action: Block

Demonstrable Content

Validate the protected admin path:

curl -I https://www.ybarra-cflab.com/admin

Expected unauthorized result:
HTTP/2 403

This 403 is the correct successful outcome when the request does not come from the trusted source IP. It proves Cloudflare WAF is enforcing the admin-path restriction at the edge.

Expected result:

HTTP/2 403
server: cloudflare

Validate that the normal site still works:

curl -I https://www.ybarra-cflab.com/

What Was Completed

• WAF custom rule created for the exposed admin path.
• /admin path protected at the Cloudflare edge.
• TRUSTED_SRC_IP trusted-source access model documented.
• Trusted source IP validated as allowed.
• Non-trusted source IP validated as blocked.
• HTTP 403 block response confirmed with curl.
• Normal public site traffic confirmed working.
• Security Events reviewed to confirm the rule fired.

Lab 5 Technical Summary

Lab 5 implemented edge-based access control for the /admin path using a Cloudflare WAF custom rule. The rule evaluates both the request path and the request source IP before the request reaches the application.

The final expression used was:

(starts_with(http.request.uri.path, "/admin") and ip.src ne TRUSTED_SRC_IP)

This means requests to /admin are blocked unless they come from TRUSTED_SRC_IP. Access from TRUSTED_SRC_IP was tested and allowed, confirming that the trusted administrative source can still reach the protected path. Access from a non-trusted source IP was also tested and blocked with an HTTP 403, confirming that unauthorized admin access is denied at the Cloudflare edge.

This demonstrates a precise path-and-source-IP security policy rather than a broad blanket block, while keeping the public site available and avoiding application code changes.

Lab 5 Customer-Facing Summary

We protected the admin area of the site so it is not openly reachable from the public Internet. Cloudflare now checks both the requested path and the source IP before allowing access to /admin.

When the request comes from TRUSTED_SRC_IP, access is allowed. When the request comes from a non-trusted source IP, Cloudflare blocks it before it reaches the application.

We tested both outcomes successfully: the trusted source IP was allowed, and a non-trusted source IP was blocked with a 403 response. This gives the customer a safer admin-access model without requiring application changes, while keeping the public site working normally.