I’m currently testing free Cloudflare, and I’m running a Git server (version control) over HTTP(S), which I’m trying to use over Cloudflare. Unfortunately there appear to be security rules in place, preventing me from issuing commands to the Git server, because the Cloudflare servers block them with a 403 response while I’m using Tor. This is not an issue if I don’t connect through Tor or when connecting to the server directly and not through Cloudflare.
I found some posts from people saying that requests to URLs containing “.git” are blocked, and you’d have to set up certain page/firewall rules, like setting the “Web Application Firewall” to off for Git URLs, but I can’t seem to find that option, and I also read that that feature is Pro only. And all other security settings I tried turning off for testing purposes didn’t change anything, I always get a 403 from the Cloudflare servers.
Is there a solution to this problem?
I found that the specific rule that’s causing this problem is “100016”, rule message: “Version Control - Information Disclosure”.
After a bit more searching I stumbled over a topic about Wordpress users having a problem with the WAF as well, and not being able to change anything about it, because some WAF rules apparently apply to the free plan, but you are not able to configure those rules without Pro. The conclusion to that thread was that there is no solution.
I suppose the question then becomes, how do you disable WAF rules while on the free plan, and if you went with Pro, would you be able to disable this specific rule? What perplexes me, is that everything is working while not using Tor, but that whitelisting Tor traffic doesn’t solve the issue.