Found a random blocked URL

Hello CF Community.

I have come across a blocked URL on my site. It seem to be totally random.

After checking my logs, watching the WAF stats closely an checking my waf rules, I see no blocking in place. At this stage. I am unabe to detect the casue. This was detected using ahrefs seo tool showing a 403 error on this URL When I manually inspected indeed it is showing a Cloudflare block.

I was hoping someone might point out exactly where else I might troubeshoot futher.

https://www. techbusinessnews.com.au/ cpanel-and-the-file-transfer-protocol-ftp/

May I ask if you could share a screenshot of this error being presented / shown to you?

When I go to check this URL, I do get an 1020 Error Access denied.

If this is your website, then you should see those blocked firewall events under the WAF → Overview.

I am afraid it is caused by one of your custom-made Firewall Rules at WAF → Firewall Rules.

Click on the event to show more details which service/rule did blocked the request.

My RayID: 74dac3fc4e41fc6d if you’d like to check this in past 24h.

UPDATE: I am afraid you’re having a custom-made Firewall Rule that blocks the URLs which contain cpanel word in them (either a http uri path or something else).

Either modify and adjust it, or rather change the URL of the article to have like /c-panel- instead of /cpanel- which triggers it.

Hi.

Oh well that toally makes sense. I do recall having such a rule. This rule was provided to me by a past help question. I do actually have a such a cpanel block rule. However, It does not indciate that it would be blocking this URL specifically/ Its just a port block

Here is the expression I found

(http.host contains “techbusinessnews.com.au” and not cf.edge.server_port in {80 443}) or (http.request.uri.path contains “cpanel” and ip.src ne 110.23.28.129) or (http.host contains “cpanel.domain.tld” and ip.src ne 110.23.28.129)

Should this “Contains” be changed to “Equals” ?

Thank you for feedback information.

This one works well and good to have it.
Sure, it does protect from accessing to the example.com/cpanel/, however it also does catch the /cpanel-and-the-file-transfer-protocol-ftp/ or any other published blog post/article you have where the word “cpanel” is used (no matter to the order where does it stand after example.com/).

Maybe with a bit modification as:

  • http.request.uri.path eq “/cpanel”

But, we’d need a bit one more combination as by add a trailing slash like /cpanel/ would pass someone through as Web browser treat this differently (some ar ehide the trailing slash, while some add it in the URL address bar).

Therefore, I think the ending expression should be:

  • (http.host contains “techbusinessnews.com.au” and not cf.edge.server_port in {80 443}) or (http.request.uri.path eq “/cpanel” and ip.src ne your.ip.v4.here) or (http.request.uri.path eq “/cpanel/” and ip.src ne your.ip.v4.here) or (http.host contains “cpanel.domain.tld” and ip.src ne your.ip.v4.here)

NOTE: If you copy-paste, replace the double quotes " ", otherwise it would show you the error while parsing the expression.

With the above slightly modified, we would catch example.com/cpanel and example.com/cpanel/ which both end-up with “1020 Access denied” page to the visitor not matching the IP, while example.com/cpanel-article-title/ wouldn’t be blocked for them and they could normally see and read the article.
Alongside the access to the cPanel via port example.com:2083 is also blocked in general with the first part of that firewall expression rule.