Skip to content

Commit

Permalink
[SSL, Rules] Call out HTTP DCV vs redirects affecting /.well-known/ (#…
Browse files Browse the repository at this point in the history
…17055)

* [SSL] Update troubleshooting.mdx

PCX-13770

* Update src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx

Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com>

* Add note about HTTP DCV to Rules docs

---------

Co-authored-by: Kim J <73549165+KimJ15@users.noreply.github.com>
Co-authored-by: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com>
Co-authored-by: Rebecca Tamachiro <rtamachiro@cloudflare.com>
  • Loading branch information
4 people authored Oct 31, 2024
1 parent 146a4a7 commit 0e27d14
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 8 deletions.
16 changes: 11 additions & 5 deletions src/content/docs/rules/reference/troubleshooting.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ description: Review common troubleshooting scenarios for Rules features.

---

import { Example } from "~/components"
import { Example, Render } from "~/components"

## Interaction between Cloudflare challenges and Rules features

Expand All @@ -22,6 +22,12 @@ For example, define a compound expression for your rule using the `and` operator
<OTHER_RULE_CONDITIONS> and not starts_with(http.request.uri, "/cdn-cgi/challenge-platform/")
```

## HTTP DCV and redirects

<Render file="dcv-definition" product="ssl" />

If you are using [HTTP DCV](/ssl/edge-certificates/changing-dcv-method/methods/http/) and also have [Single Redirects](/rules/url-forwarding/single-redirects/) set up in your zone, consider excluding the `/.well-known/*` path from your rule to avoid DCV issues. For details and other resources refer to the [SSL/TLS documentation](/ssl/edge-certificates/changing-dcv-method/).

## URL rewrites affect other Rules features executed later

If you rewrite a URI path using a [URL rewrite](/rules/transform/url-rewrite/), this may affect other Rules features executed later — such as [Origin Rules](/rules/origin-rules/) — if they include the URI path in their filter expression.
Expand All @@ -31,7 +37,7 @@ Consider the following origin rule configuration:
<Example>

* Rule expression: `http.host == "example.com" and starts_with(http.request.uri.path, "/downloads/")`
* **Host header** > **Rewrite to**: `assets.example.com`
* **Host header** > **Rewrite to**: `assets.example.com`

</Example>

Expand All @@ -40,7 +46,7 @@ If you configure a new URL rewrite with the following configuration:
<Example>

* Rule expression: `http.host == "example.com" and starts_with(http.request.uri.path, "/downloads/")`
* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(http.request.uri.path, "^/downloads/", "/")`
* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(http.request.uri.path, "^/downloads/", "/")`

</Example>

Expand All @@ -57,7 +63,7 @@ In the current example, you could use the `raw.http.request.uri.path` field in b
<Example>

* Rule expression: `http.host == "example.com" and starts_with(raw.http.request.uri.path, "/downloads/")`
* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(raw.http.request.uri.path, "^/downloads/", "/")`
* **Path** > **Rewrite to** > **Dynamic**: `regex_replace(raw.http.request.uri.path, "^/downloads/", "/")`

</Example>

Expand All @@ -66,7 +72,7 @@ In the current example, you could use the `raw.http.request.uri.path` field in b
<Example>

* Rule expression: `http.host == "example.com" and starts_with(raw.http.request.uri.path, "/downloads/")`
* **Host header** > **Rewrite to**: `assets.example.com`
* **Host header** > **Rewrite to**: `assets.example.com`

</Example>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ description: Learn when and how to perform Domain Control Validation when using

import { Render } from "~/components"

<Render file="dcv-definition" /> <br/>
<Render file="dcv-definition" />

:::note

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Taking into account the [steps involved in DCV](/ssl/edge-certificates/changing-

:::note

If you are using the Cloudflare API, error messages are presented under the `validation_errors` parameter.
If you are using the Cloudflare API, error messages are presented under the `validation_errors` parameter.
:::

## Blocked validation URL
Expand All @@ -29,9 +29,17 @@ If you have issues while HTTP DCV is in place, review the following settings:
* **Cloudflare Account Settings** and **Page Rules**: Review your [account settings](/fundamentals/reference/under-attack-mode/), [Configuration Rules](/rules/configuration-rules/), and [Page Rules](/rules/page-rules/) to ensure you have not enabled **I'm Under Attack Mode** on the validation URL.

:::caution
<Render file="dcv-path-security" />
<Render file="dcv-path-security" />
:::

## Redirection

Enabling [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use-https/) does not impact the validation process.

In a [Partial (CNAME) setup](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required) where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the `/.well-known/*` path.

When using [Redirect Rules](/rules/url-forwarding/single-redirects/) the `/.well-known/*` path should be excluded from redirections.

## DNS settings and records

The errors below refer to situations that have to be addressed at the authoritative DNS provider:
Expand Down

0 comments on commit 0e27d14

Please sign in to comment.