While this is true and worth reminding the ops about, it still sucks because many people don't understand the issues they cause by turning WAF on. CloudFlare should have a big "I understand I'll block many legit clients when I enable this" checkbox. Or you know... fix it in general. Or at least have a "report this block as invalid" link on the page.
Cloudflare WAF doesn't block clients in general, it blocks based on the data the client sends to the server.
Unless your client sends a string which matches one of the WAF patterns the site will work fine. It only blocks individual requests.
Now the problem here is that you probably shouldn't enable the WAF without having it in log only mode for a while if you are operating a site which let's users submit arbitrary text input. Of course it's going to match... You'll have to adjust the configuration.
Agreed, I believe the default Firewall security level is "Medium" and I think that's far too strict. First thing I do when adding a new zone is to set it to "Essentially off"
how many people do you piss off with the opinions you post on your blog? enough to warrant being DDoS'd by an emotionally stunted highschooler with their parents/stolen credit card and the ability to Google for a botnet?
Almost nobody who uses big brother as an individual ever does. What would anyone care about a nextcloud login panel? Or a reasonably civil personal blog? And yet they enable cloudflare for yet another small corner of the internet :(
