Block Test Certificate Info (Solved)

Hello, I have a bot that keeps going to my site I want to block.
I cant block ASN because it uses broadband ISP’s from all over the world.

It does, however, keep repeating the same thing.

URL: was redirected when visiting https://www.example.com/https://www.example.com/
Test Certificate Info

Now I have two firewall rules. One is Bad Bots and the other is When incoming requests match.

For (When incoming requests match) I added these to the list

or (http.request.uri.path contains “https://example.com/https:/www.example.com/”)
or (http.request.uri.path contains “https://www.example.com/https://www.example.com/”)
or (http.request.uri.path contains “/https://www.example.com/”)
or (http.request.uri.path contains “/https://example.com/”)

It fails to work. The expression looks like this

((http.request.uri.path contains “/xmlrpc.php”)
or (http.request.uri.path contains “https://example.com/https:/www.example.com/”)
or (http.request.uri.path contains “https://www.example.com/https://www.example.com/”)
or (http.request.uri.path contains “/https://www.example.com/”)
or (http.request.uri.path contains “/https://example.com/”)
or (http.request.uri.path contains “/wp-admin/”
and not http.request.uri.path contains “/wp-admin/admin-ajax.php”
and not http.request.uri.path contains " /wp-admin/theme-editor.php"
and cf.client.bot))

For the other firewall rule (Bad Bots)
I added “And” “User Agent” “contains” “Test Certificate Info”
“Action Block”

That doesn’t work either. I see I have Known bots and Spider duplicated twice. That should be fixed.
I don’t even think
Dispatch/0.14.0-SNAPSHOT and Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)
are even getting blocked as well.

Have any ideas?

I’m on mobile now and it’s a pain to muck with my own rules, but I’d try:
URI contains /http and then block it.

Try enabling this 100053 managed rule.

Yes, that actually worked. Thank you. :blush:

or (http.request.uri contains “/http”)
or (http.request.uri contains “/https”)

1 Like

If it contains http, then it should match https as well.

100053 managed rule? It’s solved now but I’m curious, what is it?

Ok that’s great news. Thank you. Stupid bots always trying to find something to muck up.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.