Found a random blocked URL

Hello CF Community.

I have come across a blocked URL on my site. It seem to be totally random.

After checking my logs, watching the WAF stats closely an checking my waf rules, I see no blocking in place. At this stage. I am unabe to detect the casue. This was detected using ahrefs seo tool showing a 403 error on this URL When I manually inspected indeed it is showing a Cloudflare block.

I was hoping someone might point out exactly where else I might troubeshoot futher.

https://www. techbusinessnews.com.au/ cpanel-and-the-file-transfer-protocol-ftp/

May I ask if you could share a screenshot of this error being presented / shown to you?

When I go to check this URL, I do get an 1020 Error Access denied.

If this is your website, then you should see those blocked firewall events under the WAF → Overview.

I am afraid it is caused by one of your custom-made Firewall Rules at WAF → Firewall Rules.

Click on the event to show more details which service/rule did blocked the request.

My RayID: 74dac3fc4e41fc6d if you’d like to check this in past 24h.

Screenshot 2022-09-20 at 15-06-26 Access denied1955×1069 70.1 KB

UPDATE: I am afraid you’re having a custom-made Firewall Rule that blocks the URLs which contain cpanel word in them (either a http uri path or something else).

Either modify and adjust it, or rather change the URL of the article to have like /c-panel- instead of /cpanel- which triggers it.

Hi.

Oh well that toally makes sense. I do recall having such a rule. This rule was provided to me by a past help question. I do actually have a such a cpanel block rule. However, It does not indciate that it would be blocking this URL specifically/ Its just a port block

Here is the expression I found

(http.host contains “techbusinessnews.com.au” and not cf.edge.server_port in {80 443}) or (http.request.uri.path contains “cpanel” and ip.src ne 110.23.28.129) or (http.host contains “cpanel.domain.tld” and ip.src ne 110.23.28.129)

Should this “Contains” be changed to “Equals” ?

Thank you for feedback information.

This one works well and good to have it.
Sure, it does protect from accessing to the example.com/cpanel/, however it also does catch the /cpanel-and-the-file-transfer-protocol-ftp/ or any other published blog post/article you have where the word “cpanel” is used (no matter to the order where does it stand after example.com/).

Maybe with a bit modification as:

• http.request.uri.path eq “/cpanel”

But, we’d need a bit one more combination as by add a trailing slash like /cpanel/ would pass someone through as Web browser treat this differently (some ar ehide the trailing slash, while some add it in the URL address bar).

Therefore, I think the ending expression should be:

• (http.host contains “techbusinessnews.com.au” and not cf.edge.server_port in {80 443}) or (http.request.uri.path eq “/cpanel” and ip.src ne your.ip.v4.here) or (http.request.uri.path eq “/cpanel/” and ip.src ne your.ip.v4.here) or (http.host contains “cpanel.domain.tld” and ip.src ne your.ip.v4.here)

NOTE: If you copy-paste, replace the double quotes " ", otherwise it would show you the error while parsing the expression.

With the above slightly modified, we would catch example.com/cpanel and example.com/cpanel/ which both end-up with “1020 Access denied” page to the visitor not matching the IP, while example.com/cpanel-article-title/ wouldn’t be blocked for them and they could normally see and read the article.
Alongside the access to the cPanel via port example.com:2083 is also blocked in general with the first part of that firewall expression rule.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.