Premise:
- I have an existing application with its own ACL.
- I've also implemented the CloudFlare WAF.
- My client's organization has not yet implemented a VPN.
We are seeing a lot of false-positives from the WAF for normal behavior in the application's Administration panel and because there is no predictable IP or set of IPs we can whitelist, we're struggling to unblock Administrators without turning the WAF settings down too low.
I'd like to setup something like HMAC validation, but that seems to assume that the URL of every request include the MAC hash. Instead, I'd like to store that MAC has in a cookie and use something like the user's IP address as the message. It would look something like this:
- User load Administration panel's login page
- User authenticate's with the panels ACL
- The first page load of the panel adds a cookie with the token
{time}-{hash}where the{hash}isbase64_encode(hash_hmac("sha256", $userIpAddress . $time, $secret, true))(PHP) - Future requests from the Administrator's browser include this token cookie. CloudFlare's Firewall Rules check
is_timed_hmac_valid_v0[documentation] usingip.srcas the message and comparing the hash to the specific cookie.
Part of the challenge I'm facing here is that I seem to only be able to use the entire cookie string like http.cookie and can't use the values of individual cookies.
How can I use the ACL of my application to inform CloudFlare that it should all requests from that user to bypass the WAF?
