WAF and access rules
Cloudflare rules for saxobroko.com — geo blocking, SSL for tunnel services, and exceptions for auth and SaxDocs.
Dashboard: Websites → saxobroko.com → Security / Rules.
Rule overview
| Rule | Type | Purpose |
|---|---|---|
| block no aus | WAF custom rule | Block traffic not from Australia on homelab hosts |
| localnet full strict ssl | Configuration rule | Full (strict) SSL mode for tunnel-backed services |
| Skip geo for auth + docs | WAF / rule exceptions | Keep login and docs reachable outside AU when needed |
| Bot Fight Mode | Zone setting | Must stay off — breaks Cloudflare Access handshake |
Homelab URL list: Network. Adding a new tunnel host: append its hostname to block no aus and localnet full strict ssl — see Cloudflare.
block no aus
Security → WAF → Custom rules → block no aus
- Action: Block (or challenge) when country is not Australia
- Applies to: Most
*.saxobroko.comhomelab subdomains — Jellyfin, *arr, dash, vault, dsm, etc. - Does not apply to: Intentionally public sites — see Public sites and exclusions below
From outside Australia, homelab apps return 403 by design. That is expected — see Common issues.
localnet full strict ssl
Rules → Configuration rules → localnet full strict ssl
- Sets SSL mode to Full (strict) for tunnel-backed hostnames
- Applies to: Services reached via Cloudflare Tunnel → TrueNAS / LAN
- Does not apply to: Cloudflare Pages (e.g. SaxDocs) — Pages terminates SSL at the edge on its own
When adding a subdomain, append to the rule expression:
Geo exclusions — docs and auth
These hostnames are excluded from block no aus (or have dedicated skip rules) so login and documentation work worldwide:
| Hostname | Why |
|---|---|
auth.saxobroko.com |
Authentik — OIDC callbacks for Cloudflare Access and SSO; must stay reachable for Access login |
docs.saxobroko.com |
SaxDocs on Pages — public by default; Cloudflare Access adds app-level auth instead of geo block |
WAF skip rules for auth + docs are done per Authentik. Do not put auth behind Access (login loop).
Other public marketing sites (blog, links, weather, etc.) are also outside block no aus — Public sites.
Bot Fight Mode
Must be off for Cloudflare Access + Authentik OIDC to work.
Bot Fight Mode cannot be bypassed with WAF skip rules. If Access shows a JS challenge instead of the Authentik login page, disable Bot Fight Mode:
- Zero Trust → Settings → Network, or
- Websites → saxobroko.com → Security
Details: Authentik troubleshooting.
SaxDocs protection (not WAF)
Geo block is not how SaxDocs is locked down. Cloudflare Access on docs.saxobroko.com uses Authentik OIDC — live today. WAF stays permissive for docs; Access enforces login.
Checklist — new tunnel hostname
- Add tunnel public hostname in Zero Trust
- Append hostname to localnet full strict ssl
- Append hostname to block no aus (unless intentionally public)
- Confirm Bot Fight Mode is still off if the app uses Access
- Test from incognito — AU should work; non-AU should 403 on homelab hosts only
Related
- Cloudflare — tunnels, Pages, adding sites
- Authentik — Access app for SaxDocs
- Public sites — which subdomains are public vs homelab