WAFs and Cloudflare

WAFs and Cloudflare

Are you sure you want to remove this component?

Web Application Firewalls, including Cloudflare's WAF, can be an important part of securing internet facing applications. However, for them to be effectively implemented, a strong understanding of the rules being applied, their relevance to the application being protected, and how the WAF handles traffic is required. 

As there are many different WAF vendors each with differing configuration options and considerations, it is not possible for Schoolbox to provide exact advise on how to configre your WAF. Indeed, due to continual updates both by Schoolbox, and your WAF vendor, any specific guides would become out of date almost immediately upon publication. However, as our knowledge of different considerations grows, these will be documented below for reference.

Cloudflare

Are you sure you want to remove this component?

Cloudflare's default set of WAF rules are not compatible with Schoolbox - they requiring tuning to ensure there is no impact to Schoolbox functionality. In particular, known incompatibilities include:

  • OWASP - The OWASP Rule Set causes issues uploading files to Schoolbox, specifically, an exception for asyncUpload.php needs to be made. 
  • Bot Detection - The Bot Detection rules are incompatible with Schoolbox's Summative Reporting functionality, exceptions for the relevant endpoints listed at /adminv2/routes need to be made. 
  • Rocket Loader - Rocket Loader modifies the order in which content is delivered to users, causing undesired system behavior - ensure Rocket Loader is not enabled. 

Cloudflare Proxying can be used with Schoolbox - this is a known working configuration. 

Whilst from Schoolbox 24.0 the TLS-ALPN-01 challenge is used for verifying Let's Encrypt certificates, this is not compatible with Cloudflare Proxying. However, the HTTP-01 challenge can still be used instead. For this to work, ensure the Cloudflare is not uplifting traffic from HTTP to HTTPS automatically, that Port 80 traffic is passed through to Schoolbox by your firewall, and that there is no geoblocking on inbound requests on Port 80. 

Links

Are you sure you want to remove this component?