Skip to content

WAF and access rules

Cloudflare rules for saxobroko.com — geo blocking, SSL for tunnel services, and exceptions for auth and SaxDocs.

Dashboard: Websites → saxobroko.com → Security / Rules.

Rule overview

Rule Type Purpose
block no aus WAF custom rule Block traffic not from Australia on homelab hosts
localnet full strict ssl Configuration rule Full (strict) SSL mode for tunnel-backed services
Skip geo for auth + docs WAF / rule exceptions Keep login and docs reachable outside AU when needed
Bot Fight Mode Zone setting Must stay off — breaks Cloudflare Access handshake

Homelab URL list: Network. Adding a new tunnel host: append its hostname to block no aus and localnet full strict ssl — see Cloudflare.

block no aus

Security → WAF → Custom rules → block no aus

  • Action: Block (or challenge) when country is not Australia
  • Applies to: Most *.saxobroko.com homelab subdomains — Jellyfin, *arr, dash, vault, dsm, etc.
  • Does not apply to: Intentionally public sites — see Public sites and exclusions below

From outside Australia, homelab apps return 403 by design. That is expected — see Common issues.

localnet full strict ssl

Rules → Configuration rules → localnet full strict ssl

  • Sets SSL mode to Full (strict) for tunnel-backed hostnames
  • Applies to: Services reached via Cloudflare Tunnel → TrueNAS / LAN
  • Does not apply to: Cloudflare Pages (e.g. SaxDocs) — Pages terminates SSL at the edge on its own

When adding a subdomain, append to the rule expression:

 or (http.host eq "example.saxobroko.com")

Geo exclusions — docs and auth

These hostnames are excluded from block no aus (or have dedicated skip rules) so login and documentation work worldwide:

Hostname Why
auth.saxobroko.com Authentik — OIDC callbacks for Cloudflare Access and SSO; must stay reachable for Access login
docs.saxobroko.com SaxDocs on Pages — public by default; Cloudflare Access adds app-level auth instead of geo block

WAF skip rules for auth + docs are done per Authentik. Do not put auth behind Access (login loop).

Other public marketing sites (blog, links, weather, etc.) are also outside block no ausPublic sites.

Bot Fight Mode

Must be off for Cloudflare Access + Authentik OIDC to work.

Bot Fight Mode cannot be bypassed with WAF skip rules. If Access shows a JS challenge instead of the Authentik login page, disable Bot Fight Mode:

  • Zero Trust → Settings → Network, or
  • Websites → saxobroko.com → Security

Details: Authentik troubleshooting.

SaxDocs protection (not WAF)

Geo block is not how SaxDocs is locked down. Cloudflare Access on docs.saxobroko.com uses Authentik OIDC — live today. WAF stays permissive for docs; Access enforces login.

Checklist — new tunnel hostname

  1. Add tunnel public hostname in Zero Trust
  2. Append hostname to localnet full strict ssl
  3. Append hostname to block no aus (unless intentionally public)
  4. Confirm Bot Fight Mode is still off if the app uses Access
  5. Test from incognito — AU should work; non-AU should 403 on homelab hosts only