My rule is (http.user_agent contains “Chrome/” and not http.request.uri.path contains “/static/” and not http.user_agent contains “Chrome/1” and not http.user_agent contains “Chrome/9” and not http.user_agent contains “Chrome/8”)
This seems to be working for most requests,…
But I am still seeing requests get through that are not challenged.
The last user agents being:
Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.6306.1020 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.1940.1868 Mobile Safari/537.36
When I change my Chrome user agent manually to this user agent, I am presented with a challenge.
I have checked to make sure these requests are not bypassing Cloudflare, and that is not the case.
How are these ips getting past the Firewall and making requests to my page that should be firewalled with the above rule?
I don’t have a sample url, but the website is www.infinitesweeps.com
There are many other rules configured and there are no requests shown in the event log.
I went through every rules ( I have a few setup to not log) and IP access rule…
This is happening for like about 10 percent of the requests seem to get through, maybe a little more from various ISP’s
The last two being:
Is your server configured to only accept connections from Cloudflare? If not, these might be direct requests.
It is not firewalled to only accept Cloudflare connections, but I log all connections that are direct.
There are no direct connections happening…
There is also another version www.infinitesweeps.ca with a Cloudflare separate account, but there is nothing there either.
Are challenges not presented to Mobile users? When I spoofed my user agent with this on Mobile Desktop, I was presented a challenge and denied access for an out-of-date browser.
Unless you have an exception, Cloudflare will apply the rule to all requests.
I just ran a request with the user agent you posted and it got challenged
$ curl -I https://www.infinitesweeps.com/ -H 'User-agent: Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.6306.1020 Mobile Safari/537.36'
If you change the rule’s status, it can take a few seconds until it is working in all datacentres, but apart from that it really probably is a direct request.
Ya, I get it too…
These requests should pick up too. There is lots of them and they are all requesting the same pages - but some seem to miss or have a “pre authorized challenge” and are bypassing having to take the challenge again.
I have that setting turned off to use other websites Challenges, but that’s all I can think of.
If I find something, I’ll post here. But I looked for over an hour and it keeps happening to multiple ISP"s for it to be a weird rule in my settings
If they passed the challenge before, they’ll certainly be “pre-authorised” for the period you indicated for your account. Such requests won’t be re-challenged until that expired.
But generally, the challenge seems to work, unless you have one of the mentioned exceptions.
Not preauthorized by my website. These are new requests…
I was being flooded with Cloud IPS and this week have setup good detection using CLoudflare and now they have shifted to these like virus out of date browsers that are ISP’s from the USA now.
They should be picking up with that challenge rule… Hopefully I can find something.
New request again got through:
agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.6105.1361 Mobile Safari/537.36
Logs = Nothing. Got through no problem.
Is it possible for a browser to bypass the Bot Detection, and then keep bouncing around ips with a proxy ? Would each proxy not have to request the challenge again? I don’t see why they would use such out of date user agents then. That scenario, it should still log. Something is weird I think.
They’ll be either whitеlisted by a previous rule or connect directly.
What’s the actual IP address from the last request?
LOL, that must be cloudflare doing that.
107 142 172 15
Hopefully that works?
What do you mean?
The address can be posted
Whoa, no. I got something weird back when you posted. Cloudflare must do that for security…
Can you look things up or something? I can Spell It Out.
Or are you saying there is a new request from 107?
107 - 142 - 172 - 15
one zero seven dot one four two dot one seven two dot one five