Hello - I have a server in my infrastructure that runs a python script against a URL that is protected by CloudFlare. When the URL is orange clouded, the script fails… when it’s grey clouded, it works fine. I have created a firewall rule for my network range of all my servers and set it to allow, yet the script continues to fail. The WAF is also disabled.
What can I do to keep CloudFlare protections (orange cloud) on this URL, but allow my on prem server to continue to run its script against the URL without it failing?
When you say “connect directly” what do you mean by that?
I can’t speak to exactly what in the script is failing since I’m not the developer who created it. All I know is we have a python script that executes on the server and reaches out to an orange clouded URL for information to create a report. I have allowed the network range of all my servers in the infrastructure to “allow” on the CloudFlare firewall… so I’m not sure why it’s failing.
Yes. Both servers are part of the same infrastructure and have no issues with communication. This is a CloudFlare issue which appears to be blocking a python script when going to this specific URL which is orange clouded. I would mainly like to know if there is a way to white list this server (which it already seems to be in the firewall) so the URL in question will allow this server to run its necessary scripts against it.
You have a Python script which fetches a Cloudflare URL.
The best way to find out what’s the error it would be to have the response when the error appears. Do you have the ability to check that? If the firewall fires it would show as a Firewall entry in the Dashboard as well.
Yes, we have a python script that makes a call to one of our URLs which is orange clouded by CloudFlare. Turning off the orange cloud on that URL makes that script work again. Is there no way to make a rule that allows that servers public IP address to bypass the cloud flare firewall and be able to run its script against the orange clouded URL? I thought this is what the white list was for?
Yes, that’s what the whitelist is, which is exactly the reason why I would like the error it gives and also that you check your firewall log in the Cloudflare dashboard. The first would be Cloudflare branded and the second would report it.
Could it be that it’s querying via HTTP and Cloudflare forces HTTPS making the connection fail before it even gets to Cloudflare? Or maybe it doesn’t support the specific certificate authority or some cypher.
The script appears to be communicating via HTTPS, I also have SSL configured in CloudFlare for “full” and all my sites appear to work fine. I checked the firewall and it looks like the source IP is set to “allow” and also at one point I had it set to bypass. Neither of this options worked as the script failed. Is there anything else I can check to see what the issue is?
After further review, when using Postman to make a web service call to this URL, it works but when doing the same functions via code, it does not work. I was told that it could be a HTTP header issue, but shouldn’t a firewall whitelist allow this regardless?
You should only need IP Access Rules to whitelist an IP. Could you please share the error code / description that appears in response to the script request?
Also, in the log you posted above there are no Firewall blocked events. There is an allow and bypass which I assume are from the whitelisted IP (?). So the Firewall doesn’t seem to block the call made by the script (unless there are block events in the other activity log lines).
Origin web server application crashes
Cloudflare IPs not allowed at your origin
Headers exceeding 32 KB (typically due to too many cookies)
An empty response from the origin web server that lacks an HTTP status code or response body
Missing response headers or origin web server not returning proper HTTP error responses
I don’t think the first 3 apply to me as I know the web server application is running, the CloudFlare IPs are allowed (we allow all in on 80/443 only), cookies shouldn’t be an issue as well. However, the last 2 could be something to look into. I am running Apache on my web server to handle the incoming 80 and 443 request. Could there be something that needs to be added to the httpd.conf file to make sure these are returning a response header? There hasn’t been an issue up until now, but I can look into that further. Still the question remains… how come when using an IP Access rule to white list these IP addresses are these functions getting blocked?