I’m using the free level of cloudflare for caching a Joomla site with about 300,000+ requests per day and about 10,000+ unique visitors per day.
I’ve just noticed there are quite a large number of blocked attempts at access some static files on our site, such as our RSS/RDF feeds with files ending in .rdf, .rss and .xml.
I’ve tried adding firewall rules that exclude blocking these requests, but it still seems not all requests are allowed. All of these rules are part of a single firewall using the “OR” function for each, such as:
URI Path contains /static-files/file1.rss
URI Path contains /file2.rdf
URI Path contains /static-files/file3.xml
e’re only using it for caching images. For the media.mydomain.com site that we’re using for caching, I have the following page rules:
Disable Security, Browser Cache TTL: 4 hours, Security Level: Essentially Off, Cache Level: Cache Everything, Edge Cache TTL: a month, Disable Performance
For the site itself, we have the following:
Auto Minify: Off, Cache Level: Bypass, Disable Apps, Disable Performance
I’m reluctant to disable security altogether, but I don’t fully understand why the rules I’ve added don’t seem to be working reliably.
Does Cloudflare still consider potentially malicious bots despite having a firewall rule that allows access to static files? The accesses that are still being blocked are of the form:
05 Sep, 2020 18:07:03
Browser integrity check
I’ve also added an “allow” firewall rule that “contains” simply “/” as the “URI Path”. Should that not effectively disable the firewall? I’ve noticed after adding this rule that it is now allowing access to URLs including query strings, like “?option=com_content&view=article&id=158282”
Do the “contains” firewall rules allow wildcards? Or is it just a subset? In other words, if I just allow “/articles”, does that include any of the specific articles within the /articles/ tree?