Firewall URI rule not working

Hi,
My server keeps being overloaded and I think it’s because of an attack, I normally see many GET requests like the below at the time of the outage:

“GET /.git/objects/e8/3d0f5a8586ef37d33379b0398d5a7fd50939b6 HTTP/1.0” 404 21470

I’ve setup a firewall rule for URI contains /.git but it never blocks these requests. When I test trying to access the same URI I get blocked.

Is it possible they’re bypassing Cloudflare? I have no idea how to check.

The last time this happened I used an IP tracker site to track the IP, it said the source was Romania. I also have a Firewall rule to present a challenge for certain countries, which includes Romania. But this IP didn’t trigger that rule. I also have Rate limiting enabled, 70 requests in 10 seconds - which this IP’s requests should have triggered - but it doesn’t. I’m at a loss as to why these requests get through.

The A and CNAME records for this site are proxied.

Any help appreciated!

Yes if they are directly accessing your server by it’s IP

If you check the IP of the access, it should be a Cloudflare IP, unless you are restoring visitor IPs.

Look at this guide for tips for securing your server:
https://developers.cloudflare.com/fundamentals/get-started/task-guides/origin-health/free/

Apache? Log format looks like Apache.

First of all, traffic from Cloudflare shouldn’t ever come in as HTTP/1.0, so there’s your first clue

Second, you should really be logging the “Host:” header so you can see how requests are really coming in. It’s quite likely this traffic is targeting your IP address directly rather than any hostname. So it’s not so much that they’re “bypassing” Cloudflare as that they don’t even know you’re on Cloudflare, they’re just scanning IPs.

Third, I assume you’re already using the Remote IP mod so that you see actual visitor IPs rather than Cloudflare IPs, right? I was in the same boat, not able to easily tell if traffic came in through Cloudflare or not, so I added CF’s geography headers to my log file, like this:

LogFormat "[%{%Y-%m-%d/%H:%M}t] %{Host}i %h \"%r\" %>s \"%{Referer}i\" \"%{User-agent}i\" %{cf-ipcountry}i %{cf-ipcity}i %{cf-iplatitude}i %{cf-iplongitude}i" perfect

So traffic that didn’t come in through Cloudflare will log a rather obvious - - - - at the end of the line

Finally, you should consider turning on Authenticated Origin Pulls, see https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/

I downloaded the certificate and put this in my global configuration:

SSLCACertificateFile /etc/apache2/authenticated_origin_pull_ca.pem

then I put this in the vhosts I wanted to protect:

SSLVerifyClient require

I didn’t enable it globally because I have non-Cloudflared vhosts but you could do it globally if you wanted to shut out non-Cloudflare traffic to the entire server

(and turn it on in the dashboard obviously)

1 Like

Hi, thanks for your reply! I have tried modifying my log format with no success. I’m not sure what I’m doing wrong. I put the LogFormat line in my virtual host file.
My server is a DigitalOcean droplet with Serverpilot, mod_remoteip is enabled as far as I’m aware from their documentation. In the access log I see my IP and the requests are HTTP/1.0 but definitely going via Cloudflare. I’m inspecting using dev tools and the headers show content is being served from Cloudflare.

I have setup Authenticated Origin Pulls but I’m not sure if it’s actually doing it. Note the certificate file I downloaded from Cloudflare is a .cer file even though they say it’s a .pem both in their documentation and the link to the download itself - but once downloaded it’s .cer. I’m not sure why, do I need to convert it? I’ve actually tried testing by having Authenticated Origing Pulls enabled in the Cloudflare dashboard for that domain, but I commented out the SSLCACertificateFile line in the virtual host file expecting an error but nothing happens, the site still loads normally. Really not sure what I’m doing wrong here. Excuse my ignorance :slight_smile: