WAF custom rules

aaP_smithdayton

Exactly how do you get these to work. Nothing, absolutely nothing works. I've used every option and nothing will prevent the client from getting to the source that I've restricted with a custom rule.

Hakan010

I have this set up and it's working fine.

aaP_smithdayton

Then there is something wrong with my server configuration, because I'm using identical rules and my test client is unaffected by the rules and they are able to access the file regardless. I appreciate your post.

aaPanel_Kern

aaP_smithdayton
Hello,
Can you tell us the rules you set?
Does the website use Cloudflare?

aaP_smithdayton

Yes, I using Cloudflare behind zero trust tunnels.
My attempt to block attempts to scan for wordpress common paths and exploits. Here is one example

Using a client on vpn from some random location I attempt to validate the rule, but no matter how many attempts are made to the URI it succeeds. Here is a sample of the site access logs.

98.159.226.31 98.159.226.31 - [01/Feb/2026:20:36:39 -0800] ＂GET /wp-includes/wlwmanifest.xml HTTP/1.1＂ 404 30805 - ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.0.0＂
98.159.226.31 98.159.226.31 - [01/Feb/2026:20:36:40 -0800] ＂GET /favicon.ico HTTP/1.1＂ 404 30805 https://www.[redacted]/wp-includes/wlwmanifest.xml ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.0.0＂

If I'm doing this incorrectly, I'm all for being educated.
Thanks,

aaPanel_Kern

Please try using the full path /wp-includes/wlwmanifest.xml
WAF needs to enable the CDN option

aaP_smithdayton

I've attempted with the full path, trailing / and with regex. nothing appears to work.

Not sure what to try next.

aaPanel_Kern

Please confirm if this file exists? If the file does not exist, nginx will respond first.

aaP_smithdayton

Using similar security rules in Cloudflare will block the IP address, would prefer to manage the rules inside the panel.

aaPanel_Kern

Only custom rules don't take effect? Are other blocking rules in effect? What Nginx waf version are you using?aaP_smithdayton

aaP_smithdayton

a valid file still results in the client accessing the content. doesn't seem to matter if it exists or not

aaP_smithdayton

I would say yes, it only appears to be the custom rules. However, the web console doesn't show the 444 that are reported in the web access logs, unsure if this is expected behavior. So while I think the standard rules are being applied, I only see it if I look in the logs. Running Nginx WAF 9.8.1

aaPanel_Kern

Thanks for your feedback, we will check and test it