I have blocked an abusive ASN in the IP Access Rules for my entire account, but I want to allow a few certain user agents from that ASN through. I have added what I thought was an exception in the Configuration Rules, but still the ASN block persists. According to the Traffic Sequence, Configuration Rules come first, and then the IP Access Rules, so Is that the issue? Do I need to add the exception rule in WAF instead (as that comes after the IP Access Rules). I had assumed that once a rule had been declared (Configuration Rules) subsequent rules would be ignored… but that seems to be not the case.
Hey thanks for your comment. I was guessing that might be the case, but I really need to find a way to block an ASN on all websites in my account, but then add some exceptions. I can’t understand why Cloudflare expects users to add these individually across different websites… The IP Access Rules are great, but we should have the ability to apply exceptions in the same bulk manner.
You can block the ASN for all Websites in Account, and once on the particular zone where you have to allow it, you can by selecting “Only for thist Website”.
Despite, that’s not quite what you’d want, since you’ll allow bad actros in and access your Website, while you only want to allow those with some specific user-agent(s) string(s).
Are the IPs rotating or always the same, static from those specific of that particular ASN?
AS16509 AMAZON-02 is sending large amounts of abusive traffic from a wide range of IPs and playing whackamole is not my idea of fun, so I have set up the IP Access Rule “Managed Challenge” for that ASN to apply across my account. Unfortunately, Let’s Encrypt also use this ASN - and renewing my SSLs is failing as it can’t access the validation file.
So I have added a custom WAF rule to “allow” it with an Expression : however it’s still not working
All remaining custom rules
All rate limiting rules
All managed rules
All Super Bot Fight Mode Rules
Zone Lockdown
User Agent Blocking
Browser Integrity Check
Hotlink Protection
Security Level
Rate limiting rules (Previous version)
Managed rules (Previous version)
Here is what I see in the Events tab:
ASN: AS16509 AMAZON-02
Country: Sweden
User agent: Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)
Path: /.well-known/acme-challenge/UHCtzzzzzzzzz
Matched service
Access rules: ASN
Action taken: Managed Challenge
In the " Traffic sequence" - it shows the WAF should override the IP Access Rules.
IP Access Rules
Allow or block by IP, country, or ASN
---
Cache Rules
Customize cache settings
---
Bots
Mitigate bot traffic
---
Web Application Firewall
3 rules active
In such case, if you’re able to install a custom SSL certificate for your Web server, I’d suggest you to block the AS for all websites in the account and generate Cloudflare Origin CA certificate for your zone (domain and sub-domains) and use Full (Strict) SSL. No need to renew it every 3 months. You’re covered for up to 15 years (or less depending how much you select).
Thank you for this fine suggestion which I will consider further, however the only downside I can see is that if we need to pause Cloudflare for any particular reason, a site would then be unprotected, hence the reason we have preferred to use LE. I’m perplexed that there is not a way to override an IP Access Rule, despite their being a “traffic sequence”
In your Web browser, you’d experience the error about SSL certificate, yes.
We also have got the Development Mode as well when testing things out, changing, etc. I am sorry, currently I might miss the case and viewpoint from you when would it be needed for you to Pause it, once you setup and configure it correctly
Only what I can think of is if the same server is being used for e-mail, whereas in such case you add sub-domain such as mail.example.com unproxied and use e.g. acme.sh (GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol) to issue the SSL certificate for the /var/www/html. That way, it can do it via cronjob every XY day before it expires.
Of course, I don’t know your environment, might be you cannot use this, and have to use some other way or have different workaround and implementation to issue LE certificate.
Otherwise, automate this via bash script, with Cloudflare API to temporary pause or switch proxy to (DNS-only). Wait 20secs. Run the LE’s command to renew the SSL certificate. Upon success, restart web server and related services using LE SSL certificate, un-pause or switch back the proxy for those DNS records and send yourself email notification about such event with the attached log.
I am afraid currently it’s not possible, since they’re the earliest than WAF on the Traffic Sequence.
Well, we have some sites that don’t use cloudflare and some that use paid SSLs - thus we prefer to have a standardised approach across servers e.g. localised SSL certificates (plus some end users prefer to manage their own SSLs and Let’s Encrypt is popular).
I attach my Traffic Sequence screenshot that clearly shows IP Access Rules are “in the middle” and we have Configuration Rules above it, and WAF below it, however neither of these seems to be able to over-ride the ASN block, which seems odd, given that’s exactly the use case one would expect to be able to do in this scenario.
Thank you for your contributions, everyone. Yes we also looked at the DNS-01 ACME challenge but it does not fit our use case.
The ideal solution would be to have a bit more flexibility from Cloudflare in how the Traffic Sequence works. We would prefer the ability to be able to override an ASN block on a more flexible manner. Probably not going to happen, but it should and not just for my use case - I’m sure there are many people scratching heads wondering why rules cannot be overridden.
Absolutely, positively not going to happen. That would be a breaking change for everybody who depends on the current behavior.
IP Access Rules goes back to the very early days of Cloudflare, and would have been created differently, or not at all, had they known what the future of Rules looked like.
It’s always been a blunt instrument that I use sparingly due to how inflexible it is.
Breaking changes is a bit dramatic? I am simply suggesting a need to have individual website custom rules override an account wide entry. For example, we should be able to block a country at the top level account wide, but exempt or allow a specific IP block. Equally, to block and entire ASN across all accounts, but have the ability to exempt specific IPs or user agents. Neither of these would affect any existing users who “depends on the current behavior.”
Maybe this is already possible, if there is such a method, I have not found it.
Not at all. Those who think it’s easy to “just change that thing” are being overly optimistic.
I agree, but the closest thing there is is the Account WAF for Enterprise, and that only applies to all the Enterprise zones in an account:
With that, you can code in your exceptions in that one rule you’ve set up, like “If NOT my IP, AND it’s this Country (or ASN), then Block.”
I guess it’s just another one of those features that’s reserved for high-end customers.
It absolutely would if you’re talking about the current IP Access Rules. Otherwise, that would be a feature request, though it already does exist as I mentioned above, but not in a way that’s useful to many people.