Firewall Rules Don't Always Block

Hi All,

My CF Firewall Rules work for most but not all requests. I’m on the CF Free Plan but am thinking of moving to the Pro.

In particular, I get a lot of the well-known POST /boaform/admin/formLogin requests and am surprised CF lets them through.

My Rules seem to work OK and I catch any bad requests that get through at the server but it would be good to know why CF does not block all bad requests.

I notice that mostly, but not always, the attacks start with a legitimate request, e.g., “GET / HTTP/1.1”, and I am wondering whether it is a CF caching issue. Also, the second (bad) request comes in with the same timestamp so maybe too quick for the Free Plan.

Here is an example from my error/access logs:

[Tue Oct 19 13:48:00.475226 2021] [authz_core:error] [pid 23157] [client 93.90.205.183:49539] AH01630: client denied by server configuration: /var/www/html/wp-includes

93.90.205.183 - - [19/Oct/2021:13:48:00 +0000] “GET / HTTP/1.1” 200 4753 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36”

93.90.205.183 - - [19/Oct/2021:13:48:00 +0000] “GET /wp-includes/wlwmanifest.xml HTTP/1.1” 403 399 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36”

Thanks.

David

Cloudflare lets most requests through by default.

But if you think something’s getting through that you’re trying to block, make sure your server blocks all requests that don’t come through Cloudflare IP addresses at cloudflare.com/ips

Thanks for your suggestion. I tried this but Apache denies because I use mod_remoteip to restore original visitor IPs. I did place before RemoteIPTrustedProxy but no success. I can’t think of a workaround and any suggestions would be appreciated. Thank you.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.