I am running into an issue where once daily the least, Cloudflare is blocking communication between both the core API and the authenticator API servers. They communicate using DNS name and I am seeing intermittent Error code 499 on nginx of the initiator of the request.
Both API servers won’t be able to communicate for almost 15 minutes and then resume working normally. I have created a Firewall rule to bypass all security if originating from both hosts IPs. Since then I see that the rule is matching for rate limiting rule (which is not enabled anyway in the configuration of the WAF). It matches it and bypass for rate limiting rule just after that 15 minutes blackout. The webapp keeps working all day until sometime the second day it stops working again after login attempt. And then I need to wait 15 minutes again, it will resume working by itself and the Firewall rule is matched 15 minutes after the login attempt which was blocked. Shouldn’t the rule work from the first hit? is there any other rule that supersedes it somewhere? Why is it doing its job just 15 minutes after the first block?
I am an PRO plan, new to Cloudflare, so I am working kind of in the dark, I don’t have much logs to check and I am trying to observe to find a pattern
Did someone come across such an issue? is there anyway to bypass every rule between both APIs (the app and the authenticator) because I can’t seem to find anything else than firewall rule that makes sense.
Any help is really appreciated.
This sounds more like a client or server error. Beyond the 499 error are there other subsequent errors in the client logs or on Cloudflare when this occurs?
If it is Cloudflare limiting then look at your HTTP rate limiting settings: https://blog.cloudflare.com/http-ddos-managed-rules/
I have PRO plan, DDOS cannot be set to Log so that I could log what is happening. I also tried to set the sensitivity to essential off yesterday and it didn’t do any different during the time when the applications were blocked for 15 minutes. I left it now to Essential Off to see if it is gonna affect the next block cycle which will happen in 24 hours.
Is there anything else than DDOS I need to look at? I also set the Bot security level to essential Off to check if it is considering the APIs as bot.
The issue is that my core app authenticates with the API on the public DNS name, so communication always goes out and back through Cloudflare and I fear it is considering it as a Bot. I created a firewall rule bypass if it is not a known bot between both the IPs of the app and authenticator apis.
Is there anyway to redirect traffic between APIs on Cloudflare in order for traffic not to travel out and back in but to be treated as internal traffic?
The thing only happens once every 24 hours after the first login attempt to the application and I don’t have much window to test and troubleshoot as it stays for 15 minutes only and then resumes working properly.
I appreciate any idea or suggestion.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.