Depending on how you have your logging configured that IP 2001:ee0:53d0:6670:d3a:41af:e74:6cfb is not Cloudflare. If you haven’t modified your web server to log x-forward-for or cf-connecting-ip then that log line implies that 2001:ee0:53d0:6670:d3a:41af:e74:6cfb is coming to your server directly and hence not via the Cloudflare firewall.
First thing to check is make sure your server is only accessible by the Cloudflare IPs:
Alternatively you can also use Cloudflare Tunnels to further secure things and then drop any/all incoming connections:
Once it’s confirmed you are secured behind Cloudflare - you can then look at the Firewall rules.
I wasn’t suggesting you block the IP - but pointing out this traffic could be coming to your server directly and ignoring your Cloudflare Firewall rules. It’s important to make sure your origin isn’t accepting traffic from non-Cloudflare sources otherwise attackers can hit your server directly - read protect your origin for more.
If you haven’t created a Firewall rule yet - I checked internally and a request with a double slash like //?= will be normalised by our service into /?= as per:
You could create a normal URI Firewall Rule to block /?= if you’re happy to block both in the WAF like this:
If you want to block just//?= then you would need to click Edit expression and change the rule to use the raw version of the field which will give you the URI before normalisation occurs:
(raw.http.request.uri contains "//?=")
These fields are all explained here:
If you want to block just //?=XXXX where XXXX is digits of unknown length you would need to use a regular expression which gets more complex:
