My CF Firewall Rules work for most but not all requests. I’m on the CF Free Plan but am thinking of moving to the Pro.
In particular, I get a lot of the well-known POST /boaform/admin/formLogin requests and am surprised CF lets them through.
My Rules seem to work OK and I catch any bad requests that get through at the server but it would be good to know why CF does not block all bad requests.
I notice that mostly, but not always, the attacks start with a legitimate request, e.g., “GET / HTTP/1.1”, and I am wondering whether it is a CF caching issue. Also, the second (bad) request comes in with the same timestamp so maybe too quick for the Free Plan.
Here is an example from my error/access logs:
[Tue Oct 19 13:48:00.475226 2021] [authz_core:error] [pid 23157] [client 22.214.171.124:49539] AH01630: client denied by server configuration: /var/www/html/wp-includes
126.96.36.199 - - [19/Oct/2021:13:48:00 +0000] “GET / HTTP/1.1” 200 4753 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36”
188.8.131.52 - - [19/Oct/2021:13:48:00 +0000] “GET /wp-includes/wlwmanifest.xml HTTP/1.1” 403 399 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36”