Introduction

Cloudflare WAF blocks legitimate requests when managed rules are too aggressive or custom rules misconfigured. This guide provides step-by-step diagnosis and resolution with specific commands and configuration examples.

Symptoms

Typical symptoms and error messages when this issue occurs:

bash
HTTP 403 Forbidden
CF-RAY: 1234567890abcdef-WAW
WAF Rule ID: 12345 triggered
Action: block

Observable indicators: - CDN returns errors to end users - Content not being cached as expected - SSL or security configuration issues

Common Causes

  1. 1.Cloudflare issues are typically caused by:
  2. 2.Cache rule or page rule conditions not matching requests
  3. 3.WAF managed rules triggering false positives
  4. 4.Worker script errors or timeout limits
  5. 5.SSL certificate pending validation or CAA record blocking

Step-by-Step Fix

Step 1: Check Current State

bash
curl -I -H "Host: example.com" https://example.com/path

Step 2: Identify Root Cause

bash
curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/analytics/dashboard

Step 3: Apply Primary Fix

``` # Cloudflare WAF exception rule Expression: (cf.client.bot) or (ip.src in {10.0.0.0/8}) Action: Skip Rules to skip: All managed rules

# Or create firewall rule Expression: (http.request.uri.path contains "/api/") and (ip.geoip.country in {"US" "GB"}) Action: Allow ```

Apply this configuration in the CDN dashboard or via API.

Step 4: Apply Alternative Fix (If Needed)

bash
# Alternative fix: adjust TTL
Edge-Cache-TTL: 3600
Stale-While-Revalidate: 86400

Step 5: Verify the Fix

After applying the fix, verify with:

bash
curl -I -H "Host: example.com" https://example.com/test | grep -E "CF-Cache-Status|cf-ray"

Expected output should show proper caching headers and successful content delivery.

Common Pitfalls

  • Page rule URL pattern not matching requests
  • WAF rule ID 12345 too aggressive for API traffic
  • Worker timeout exceeded for large file processing
  • Always Use HTTPS causing redirect loops

Best Practices

  • Use Cache Rules instead of Page Rules for complex logic
  • Test WAF rules in log mode before blocking
  • Use Workers KV for stateful data
  • Enable Argo for improved performance
  • Cloudflare Cache Purge Not Working
  • Cloudflare WAF Blocks Legitimate Traffic
  • Cloudflare Worker Script Error
  • Cloudflare SSL Certificate Pending