Service Provider: Microsoft Azure, Virtual machine
Web Server: NginX
Backend: Nodejs Express app
Context: While Under Attack Mode (UAM) is enabled on my website everything works fine except anything that isn’t a GET request, meaning I am able to fetch data from my API but not send data. I should be clear that the frontend and backend are on the same server so I’m using a nginx reverse proxy setup where I route / to http://localhost:3000 and /api to http://localhost:8080. If it means anything, CORS is enabled on the express app but I’m pretty sure it is configured correctly. This issue only occurs when UAM is on. The origin server (the azure virtual machine) firewall is set to only accept ips from Cloudflare using the information from IP Ranges like suggested.
The article above tells me that if there is no cloudflare or cloudflare-nginx in the HTML response body then I should " Contact your hosting provider to verify if they rate limit requests to your origin web server." For one, I assume they specify HTML response body b/c cloudflare is found in the response headers and two I don’t believe microsoft azure ratelimits requests to my virtual machine/origin webserver.
I’m am unsure what to do or what I should investigate, help? Which part of this process am I misunderstanding or looking at incorrectly?
I would recommend to place another criteria to check if the traffic is coming from known bots or not. If it’s not coming from known bots then only JS challenge them.
I mean that HTTP GET requests to my backend API resolve successfully while any other HTTP method such as POST or OPTIONS (for CORS) are erroneous with status 503
However I will try your solution but if anything its more of a work around because at the end of the day, UAM mode still renders important actions on my site such as logging in unusable. I would appreciate further discussion, tips, or any other solutions, thanks!
We could be completely on the wrong track here. So let’s back up to Under Attack Mode, which is really supposed to be a temporary solution until you can refine firewall rules to block unwanted traffic.
With UAM off, you can do what you need to do, but your site is being attacked. Correct? If so, then disable UAM and move over to Firewall Rules.
How about a firewall rule that JS Challenges anything that’s NOT your country? That way you still have full access, but you still get a fair amount of site protection.
So what I’m understanding is that UAM mode is not the actual long term solution this service offers but instead a temporary one? I assumed the other features were just additions since it was never really specified that instead of relying on UAM you should configure the firewalls/page rules. Thanks for clearing that up though, I’ll mark your response as the solution!
