Api Shield

Security
#1
  • Im trying access to my api and got error 403 with active “Api Shield”
    curl -sv https://my_domain_api.com --cert key.pem --key private.pem

Info:

  • Account plane free
  • Client cert generated in cloudflare panel (/ssl-tls/client-certificates/form)
  • ticket id: 2191293

curl -sv https://my_domain_api.com/ --cert key.pem --key private.pem

  • Rebuilt URL to: https://my_domain_api.com/
  • Trying 1**.**.6*.2
  • TCP_NODELAY set
  • Connected to my_domain_api.com (1**.**.6*.2) port 443 (#0)
  • schannel: SSL/TLS connection with my_domain_api.com port 443 (step 1/3)
  • schannel: checking server certificate revocation
  • schannel: sending initial handshake data: sending 181 bytes…
  • schannel: sent initial handshake data: sent 181 bytes
  • schannel: SSL/TLS connection with my_domain_api.com port 443 (step 2/3)
  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with my_domain_api.com port 443 (step 2/3)
  • schannel: encrypted data got 3092
  • schannel: encrypted data buffer: offset 3092 length 4096
  • schannel: a client certificate has been requested
  • schannel: SSL/TLS connection with my_domain_api.com port 443 (step 2/3)
  • schannel: encrypted data buffer: offset 3092 length 4116
  • schannel: sending next handshake data: sending 100 bytes…
  • schannel: SSL/TLS connection with my_domain_api.com port 443 (step 2/3)
  • schannel: encrypted data got 258
  • schannel: encrypted data buffer: offset 258 length 4116
  • schannel: SSL/TLS handshake complete
  • schannel: SSL/TLS connection with my_domain_api.com port 443 (step 3/3)
  • schannel: stored credential handle in session cache

GET / HTTP/1.1
Host: my_domain_api.com
User-Agent: curl/7.55.1
Accept: /

  • schannel: client wants to read 102400 bytes
  • schannel: encdata_buffer resized 103424
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: encrypted data got 964
  • schannel: encrypted data buffer: offset 964 length 103424
  • schannel: decrypted data length: 935
  • schannel: decrypted data added: 935
  • schannel: decrypted data cached: offset 935 length 102400
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: decrypted data buffer: offset 935 length 102400
  • schannel: schannel_recv cleanup
  • schannel: decrypted data returned 935
  • schannel: decrypted data buffer: offset 0 length 102400
    < HTTP/1.1 403 Forbidden
    < Date: Wed, 23 Jun 2021 18:22:14 GMT
    < Content-Type: text/plain; charset=UTF-8
    < Content-Length: 16
    < Connection: keep-alive
    < X-Frame-Options: SAMEORIGIN
    < Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    < Expires: Thu, 01 Jan 1970 00:00:01 GMT
    < cf-request-id: 0adbb4d43500000c2142172000000001
    < Expect-CT: max-age=604800, report-uri=“LIMIT_HTTPS://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
    < Report-To: {“endpoints”:[{“url”:“LIMIT_HTTPS://a.nel.cloudflare.com/report/v2?s=ke5TTmW2wOxZhxVJpd3PRYInvSojwkK94OZcGCmLHXmbNEplahAAxm9vi7bX6G%2BBjXsFdnAwd5eFfWG%2BooTXPMmJV7cr4%2B5CpElbwOGWHGgq%2Bjuoc%2FQQFA%3D%3D”}],“group”:“cf-nel”,“max_age”:604800}
    < NEL: {“report_to”:“cf-nel”,“max_age”:604800}
    < Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
    < X-Content-Type-Options: nosniff
    < Server: cloudflare
    < CF-RAY: 663fbd99ec4c0c21-AMS
    <
    error code: 1020* Connection LIMIT_HTTPS://support.cloudflare.com/hc/rePreformatted textquests/0 to host my_domain_api.com left intact
#2

May I ask if any Firewall Rule is running and blocking the request, like request comming from a specific country, etc., either some Captcha, or if you have higher Security Level setup, or either a Bot Fight Mode option being enabled?

It seems to me you have violated a Firewall rule, which was configured by you (the site owner).

Hopefully, if it is your domain, could you re-check your firewall events and see if there is anything being logged? - either to whitelist/bypass your IP address of your host origin/server so the request could successfully pass?

Otherwise, if you are a visitor, I am afraid you would either need to contact the site owner regarding this issue.

Regarding error 1020, kindly see below articles for more information:

https://support.cloudflare.com/hc/en-us/articles/360029779472-Troubleshooting-Cloudflare-1XXX-errors#error1020

#3

My task, set up Api Shield for my API.
im have only one firewall rule
Security Level: Essentially Off
Under Attack Mode: Off
Bot Fight Mode: Off

Cloufflare problem
Cloufflare problem1051×647 18.3 KB

#4

In case if needed, @cloonan could take a look at this one.

4 Likes
#5

Hello @cloonan, can u visiti ticket id: 2191293 ?

#6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.