Git over Tor = 403

I’m currently testing free Cloudflare, and I’m running a Git server (version control) over HTTP(S), which I’m trying to use over Cloudflare. Unfortunately there appear to be security rules in place, preventing me from issuing commands to the Git server, because the Cloudflare servers block them with a 403 response while I’m using Tor. This is not an issue if I don’t connect through Tor or when connecting to the server directly and not through Cloudflare.

I found some posts from people saying that requests to URLs containing “.git” are blocked, and you’d have to set up certain page/firewall rules, like setting the “Web Application Firewall” to off for Git URLs, but I can’t seem to find that option, and I also read that that feature is Pro only. And all other security settings I tried turning off for testing purposes didn’t change anything, I always get a 403 from the Cloudflare servers.

Is there a solution to this problem?

I found that the specific rule that’s causing this problem is “100016”, rule message: “Version Control - Information Disclosure”.

After a bit more searching I stumbled over a topic about Wordpress users having a problem with the WAF as well, and not being able to change anything about it, because some WAF rules apparently apply to the free plan, but you are not able to configure those rules without Pro. The conclusion to that thread was that there is no solution.

I suppose the question then becomes, how do you disable WAF rules while on the free plan, and if you went with Pro, would you be able to disable this specific rule? What perplexes me, is that everything is working while not using Tor, but that whitelisting Tor traffic doesn’t solve the issue.

Nothing? Not even a “go Pro and you’ll be golden”? :confused:

Cloudflare is not intended to run Git. If you disable enough firewall features you will probably be able to proxy it over, but at that point you could still be in violation of paragraph 2.8 of the terms of service.

As you mentioned, WAF should not apply to Free plans, if it does you might want to clarify this with support. There is no proper way to disable WAF on Free plans (as it shouldn’t be available in the first place) but whitelisting should fix that, respectively you could also try a page rule and disable security for that particular path. Did you try that yet?

But yes, “going Pro” would allow you to customise WAF too :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.