The article highlights the critical importance of understanding Cloudflare's rule order and its impact on security configurations. Specifically, it discusses a scenario where an Interactive Challenge (to prevent bot traffic) is placed before a Block rule meant to restrict access to sensitive endpoints such as /metrics for Prometheus metrics. The key issue here is that actions like Interactive Challenge are terminating actions; once executed, they stop the evaluation of any subsequent rules. Therefore, in this case, users could bypass the intended block by completing the challenge and gaining access to the restricted endpoint. To secure configurations properly, rules should be ordered with non-terminating actions first (like Block), followed by terminating ones (Interactive Challenge, JS Challenge, etc.). This ordering ensures that critical security measures like blocking are not overlooked.
- Cloudflare custom security rulesets
- Reorder the Cloudflare rules to ensure non-terminating actions precede terminating ones. For example, use the following order: Skip, Block, Log, Redirect, Serve Error, Execute, Rewrite, Route, Set Configuration, Compress Response, Set Cache Settings, Log custom field, Interactive Challenge, JS Challenge, Managed Challenge.
- Review existing rule sets in your Cloudflare dashboard to ensure no critical block rules are placed after terminating actions like Interactive Challenge or JS Challenge.
- Document and train team members on the correct ordering of security rules within Cloudflare's Ruleset Engine.
For homelab setups using Cloudflare for security, it is crucial to configure rules correctly. Incorrect rule order can lead to unintended access to sensitive endpoints like /metrics, which can expose Prometheus metrics or other critical data.