Community Tip - Best Practices for Configuring CCBill with Cloudflare

Error
Try the suggestions in this Community Tip for best practices to follow when configuring CCBill.

Background
Failed Webhook calls while using CCBill and Cloudflare indicate an issue with the configuration. When this happens, follow the Quick Fix Ideas in this Tip to address.

Under :construction: To help improve this Tip, we encourage you to share other troubleshooting ideas.

Quick Fix Ideas

  1. Whitelist the CCBill IPs in your Cloudflare Firewall tab. These are CCBill’s Webhook IP Ranges. To verify, manually select the webhook link and verify that https://www.example.com/?ccbill_data=1 is shown in your log file.
  • 64.38.212.1 - 64.38.212.254
  • 64.38.215.1 - 64.38.215.254
  • 64.38.240.1 - 64.38.240.254
  • 64.38.241.1 - 64.38.241.254
  1. If you pause Cloudflare, does the issue go away? Read, How do I temporarily deactivate CloudFlare. If the error does stop, this would mean Cloudflare is causing the issue.

  2. Make sure your server is running an operating system that supports TLS 1.2. CCBill supports TLS 1.2 as of April 2017.

  3. Restore visitor IP. You are not restoring the client IP in your logs. Cloudflare acts as a proxy so all requests will come from Cloudflare IPs to your web server, but we forward the true client IPs in the request headers that can be restored. If CCBill requires that the requests come from their IPs in order for their system to work, this may be the cause. How to restore Visitors IP?

  4. CCBill is trying to connect over https:// but CCBill does not support SNI (Server Name indication). SNI is required by our free plan SSL certificates. Upgrade to Pro if you need SNI support. Universal SSL supports Server Name Indication (SNI) and Elliptic Curve certificates (ECDSA). If you need broader browser compatibility for older browsers/operating systems, our Pro plan plan provides this.

  5. Disable browser integrity check. Sometimes, the user-agent Java/1.6.0_03 used in POST requests triggers the browser integrity check.

  6. You’re attempting to reach Cloudflare on port 3306 or some other port that Cloudflare does not support for https traffic. Check and make sure CCBill is using a port that Cloudflare supports for https traffic. If your traffic is on a different port, you can add it as a record in your Cloudflare DNS zone file as something we don’t proxy (i.e., :grey:).

  7. SNI is supported but you’re subject to SNI eavesdropping by local authorities that block HTTPS access. SNI blocking checks and blocks the target server in the SNI field. This is not related to communication interception nor data packet interception but is used to block illegal sites. There is no work around to this block.

  8. The IP address that will hit the origin server will be different depending on the where the request originates. Whitelist Cloudflare IP addresses on your network router, origin server operating system, and origin firewall to ensure you have all Cloudflare IPs white listed on all network-aware devices.

Lite Reading

Research The Issue
YouTube
Community
Google

If You Need More Help
This community of other Cloudflare users may be able to assist you, if not, login to Cloudflare and then contact Cloudflare Support. When you contact support, make sure to include as much of this information as possible: the specific error message your are seeing, the URLs this is happening on, screen shot of the error, steps to reproduce the error, and HAR file(s). Please indicate which of the Quick Fix Ideas you’ve tried in order to help Customer Support help you.

Expert Comments Appreciated
This Community Tip will remain open for input from Community experts and those familiar with this issue. We really appreciate comments like: “What are the three things to always try”, or “Do this first” or “In my experience”.

This is a Cloudflare Community Tip, to review other tips, click here.

2 Likes

This topic was automatically closed after 14 days. New replies are no longer allowed.