Cloudflare firewall blocking an activity it should allow

I’m running a wordpress site in GCP behind cloudflare, and have a rule set up in CF to block attempts to access certain wordpress endpoints, like the rest API. I have been getting an alert in Wordpress’s dashboard that the REST API isn’t healthy, and when I look at it, it shows an error that cloudflare is blocking it. I looked at CF’s firewall rules, and believe I have a rule being blocked when it should be allowing it. See screenshot of CF:

I’ve tried to format the CF rule as best as possible, so here it is:

(
 ip.src ne eee.fff.ggg.6 or 
 ip.src ne aaa.bbb.ccc.131 or
 ip.src ne xxx.yyy.zzz.218
) 

and 
(
  (http.request.uri.query contains "author_name=") or 
  (http.request.uri.query contains "author=" and not http.request.uri.path contains "/wp-admin/export.php") or
  (http.request.full_uri contains "wp-config.") or 
  (http.request.uri.path contains "/wp-json/") or 
  (http.request.uri.path contains "/wp-content" and http.request.uri.path contains ".php") or
  (http.request.uri.path contains "phpmyadmin") or 
  (http.request.uri.path contains "/phpunit") or
  (http.request.full_uri contains "<?php") or 
  (http.cookie contains "<?php") or 
  (http.request.full_uri contains "../") or 
  (http.request.full_uri contains "..%2F") or 
  (http.request.full_uri contains "passwd") or 
  (http.request.uri contains "/dfs/") or 
  (http.request.uri contains "/autodiscover/") or
  (http.request.uri contains "/wpad.") or 
  (http.request.full_uri contains "webconfig.txt") or
  (http.request.full_uri contains "vuln.") or
  (http.request.uri.query contains "base64") or
  (http.request.uri.query contains "<script") or
  (http.request.uri.query contains "%3Cscript") or
  (http.cookie contains "<script") or
  (http.referer contains "<script") or
  (upper(http.request.uri.query) contains " UNION ALL ") or
  (upper(http.request.uri.query)contains " SELECT ") or
  (http.request.uri.query contains "$_GLOBALS[") or
  (http.request.uri.query contains "$_REQUEST[") or
  (http.request.uri.query contains "$_POST[")
)

based on the block, the source ip is xxx.yyy.zzz.218, for “/wp-json/”. However my rule says if traffic matches the following:
“NOT xxx.yyy.zzz.218” and “for uri.includes /wp-json”, then block. However since the SRC IP = xxx.yyy.zzz.218, then it should NOT be getting blocked, correct?

xxx.yyy.zzz.218 is my webserver running Wordpress
aaa.bbb.ccc.131 is my home IP
eee.fff.ggg.6 is another backup webserver.

These 3 addresses should NOT be blocked based on this rule, except it seems that isn’t the case

White list the ip in cloudflare

2 Likes

Thanks, this immediately solved the issue!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.