Bypass all security relevant mechanism for specific SaaS Origin servers!?

CLAG1 · July 21, 2024, 10:15am

What is the name of the domain?

What is the error number?

Sometimes getting: “HTTP/1.1 403 Forbidden”

What is the issue you’re encountering

We use a few SaaS services which need to access our server/website to either trigger a specific action (e.g. calling wp-cron.php of our Wordpress Installation to start Cronjobs) or to pull images from our server to perform specific analysis. Those services can access the mentioned ressources only partially - the logs show that only every second request is successful. The other requests are blocked and return “HTTP/1.1 403 Forbidden”.

What steps have you taken to resolve the issue?

We have already configured the SaaS requests IP addresses and UserAgents as exclusion-rules in WAF, as well as set the same Origin IPs and the UserAgents as specific Configuration Rules with Security Threshold “Effectively Off” - and still those services sometimes report/log "“HTTP/1.1 403 Forbidden” access errors.

How can this be nailed down further?

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

Laudian · July 21, 2024, 10:20am

You can check why the requests were blocked here: https://dash.cloudflare.com/?to=/:account/:zone/security/events

CLAG1 · July 21, 2024, 10:50am

Thanks!
Weird, from there it looks as if the rule (specific to my Cronjob trigger provider EasyCron) work just fine and are allowed everytime:

Even though on the EasyCron panel it suggests that every second run yields “403 / Forbidden”.

Now I’m quite confused!

Laudian · July 21, 2024, 10:55am

If you look further down in the activity protocol, it all says skipped?

In that case, the 403 block would likely be from your origin server. Did you check your server logs to see what status was returned?

CLAG1 · July 21, 2024, 11:10am

Wow, damn, you are right! Would never have thought of that - but yes, indeed it looks like the origin server triggers this. Not sure how and why and every second requests comes through. Very weird indeed!!!

system · July 23, 2024, 11:11am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
API Authorization Headers appear blocked through WAF but work fine when hitting origin directly Security	5	3054	November 30, 2021
403 Forbiddens From Specific Public IP Source Security	2	643	October 16, 2023
403 Error on FULL encryption Security	15	2298	October 25, 2019
I am getting again 403 Forbidden Access to this resource on the server is denied even though Installing Really Simple SSL and Activating Automatic HTTPS Rewrites Security dash-ssl-tls	4	3622	May 30, 2019
Wordpress 403 forbidden server error Getting Started	2	6225	December 21, 2021