MEIER-320: Filter health check logs/traces and add Cloudflare WAF scanner block

[andymeierdev]

Summary

Two changes to reduce log noise and block vulnerability scanners at the edge.

1. Filter health check logs and traces (app)

In Program.fs:

• Logging: Added UseSerilogRequestLogging with a custom GetLevel that drops /health requests to Verbose level — below the configured minimum (Information), so they no longer appear in Seq or console output.
• Tracing: Added a Filter on AddAspNetCoreInstrumentation that excludes /health from generating OpenTelemetry trace spans sent to Seq.

2. Cloudflare WAF custom rule for scanner blocking (Pulumi)

New pulumi/src/cloudflare/waf.ts creates a WAF custom ruleset on the andymeier.dev zone using phase: "http_request_firewall_custom". A single rule blocks requests matching common vulnerability scanner paths and file extensions at the Cloudflare edge before they reach the origin:

• Sensitive files: /.env, /.git
• CMS probes: /wp-*, /wordpress, /xmlrpc
• Admin panels: /phpMyAdmin, /phpmyadmin, /pma
• Server probes: /cgi-bin, /actuator, /solr, /telescope, /vendor
• Dangerous extensions: .php, .asp, .jsp, .cgi

Action is block (403 at edge, zero origin load).

Validation

• dotnet build passes with zero warnings/errors
• All 61 tests pass (./fake.sh Test)
• pulumi preview shows only the new cloudflare:Ruleset resource to create

[github-actions]

🍹 preview on andymeier/prod

Pulumi report

View in Pulumi Cloud

  Previewing update (prod)

View Live: https://app.pulumi.com/meiermade/andymeier/prod/previews/a2dd6e2a-4c38-4b50-940d-0c0672d16b88

pulumi:pulumi:Stack: (same)
  [urn=urn:pulumi:prod::andymeier::pulumi:pulumi:Stack::andymeier-prod]
  ~ docker-build:index:Image: (update)
      [id=sha256:4220b7870863d07b1de96b565c6d5b26306a51590b5d515cb44734e64b92fa6a]
      [urn=urn:pulumi:prod::andymeier::docker-build:index:Image::andymeier]
    - contextHash: "d5f3cbfc1d25abc666cfd65d7d23f1b177635d7b7e7a46b1e464ddfc5ab2c281"
  ~ kubernetes:apps/v1:Deployment: (update)
      [id=andymeier/app]
      [urn=urn:pulumi:prod::andymeier::kubernetes:apps/v1:Deployment::app]
    ~ spec: {
        ~ template: {
            ~ spec: {
                ~ containers: [
                    ~ [0]: {
                            ~ image: "us-east1-docker.pkg.dev/meiermade-platform/platform/andymeier:latest@sha256:94f77ea557bc53317c8b68c7177ca22cd6521c1ad05316e224016a69bb961518" => [unknown]
                          }
                  ]
              }
          }
      }
  + cloudflare:index/ruleset:Ruleset: (create)
      [urn=urn:pulumi:prod::andymeier::cloudflare:index/ruleset:Ruleset::andymeier-waf]
      kind  : "zone"
      name  : "Block vulnerability scanners"
      phase : "http_request_firewall_custom"
      rules : [
          [0]: {
              action     : "block"
              description: "Block common vulnerability scanner paths and file extensions"
              enabled    : true
              expression : "(http.request.uri.path contains \"/.env\") or (http.request.uri.path contains \"/.git\") or (http.request.uri.path contains \"/.aws\") or (http.request.uri...."
              ref        : "block_scan_probes"
          }
      ]
      zoneId: "5995c624b9699f73f297dea331ae5bec"
Resources:
  + 1 to create
  ~ 2 to update
  3 changes. 13 unchanged