Cloudflare firewall blocking Confluence wiki searches

We are using Cloudflare in front of Atlassian’s Confluence Wiki (among other things), and some users are reporting that they are getting blocked by Cloudflare from performing searches in Confluence.

Our Cloudflare security level for this domain is Medium. Looking at the Firewall Events, I’m seeing a few such requests being blocked by Cloudflare each day or so, all with a Rule ID of 100009C. That rule is apparently “SQLi attempt (Equation)” from the “Cloudflare Specials” group.

Question 1: Is there a way to adjust the sensitivity of that Rule for these requests?

The closest I’ve come so far is to create a custom Firewall Rule like the following:

(http.host eq "my.wiki.domain" and cf.threat_score le 10 and http.request.uri.path eq "/rest/cql/expressions") or (http.host eq "my.wiki.domain" and cf.threat_score le 10 and http.request.uri.path eq "/dosearchsite.action") or (http.host eq "my.wiki.domain" and cf.threat_score le 10 and http.request.uri.path eq "/rest/experimental/search")

Those three URI Paths are the ones that seem to be getting blocked. However, the user I’m communicating with is still getting blocked, so I suppose the cf.threat_score must be higher than 10. I’m not sure how high I’ll need to raise it, though, since the Firewall Events don’t show me what the threat score was.

Question 2: Is there a way to see what the cf.threat_score was for a particular blocked request?

For the record, I found some information in response to my questions.

Question 1: Is there a way to adjust the sensitivity of that Rule for these requests?

Answer 1: You can’t exactly adjust the sensitivity, but you can adjust whether that Rule is in “Disable”, “Simulate”, “Block”, or “Challenge” mode (i.e. what effect it has). To do so, go to Firewall > Web Application Firewall > Package: Cloudflare Rule Set (Rule details) > Cloudflare Specials, then click through the pages of rules till you find the applicable Rule ID (in my case, 100009C).

However, I ended up leaving that on the Default setting (aka Block) but raising the cf.threat_score value in my custom firewall rule to a sufficient level that it was being triggered. Then I could set my rule to Challenge (or Allow, if that’s what you prefer). Since the URI paths I was having trouble with are only accessible to logged in users, setting up a firewall rule to let them through seems like an acceptably small risk. (If someone knows otherwise, by all means please say so.)

I had a little bit of odd behavior where it seemed to be applying the Challenge from my firewall rule, then still blocking me because of the SQLi rule, but now it seems to be behaving as desired.

Sadly (though not necessarily surprisingly), I still don’t know of any way to see what the cf.threat_score was for a particular blocked request. Thankfully, I managed to get to a working state without that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.