I can no longer connect child sites to my MainWP dashboard if DNS Proxy is turned on

Hi,

I use a self-hosted version of WordPress with MainWP installed (a dashboard) to allow me to connect from there to “child sites” - other sites that I have authenticated and look after. I provide hosting for most of these sites, and route their DNS through Cloudflare.

Until about last month, I was able to connect from my MainWP dashboard even with the Proxy setting in the DNS settings turned On. Since then, I’ve been unable to.

I have raised a support request with MainWP but been told they have not changed anything that would affect that and therefore it’s a Cloudflare issue.

For one domain, I have:

  • Bot Fight Mode turned on
  • a Firewall rule which allows my MainWP dashboard through
  • a firewall rule to block XMLRPC requests
  • a firewall rule to block access to the login page if the Country is not United Kingdom

Does anyone have any ideas how I can keep the Proxy enabled and still connect via MainWP?

Welcome to the Cloudflare Community, fellow MainWP user!

I just recently moved my long running MainWP instance to a new domain name that is behind the Cloudflare :orange: proxy. Some child sites are also behind the Cloudflare proxy. Others are not on Cloudflare in any fashion at this time, although the plan is to put them all behind the Cloudflare proxy.

I have similar security settings to those on your list, with the exception of the geoblocking of the login page. My XMLRPC block rule allows traffic from the Automattic ASN to facilitate Jetpack. I don’t appear to have an allow rule for my MainWP dashboard on my child sites, although I do have a self-referential rule for both IPv4 and IPv6 for the MainWP dashboard.

Are you restoring original visitor IPs on your origin servers?

Are you seeing a corresponding event in the Cloudflare firewall logs when your connection attempts fail?

2 Likes

Thanks for the welcome.

I’d love to put my MainWP instance back behind the Cloudflare proxy.

I don’t think geoblocking the login page would affect MainWP. Would it?
I don’t use Jetpack.
It would be good not to need a specific rule on child sites.

How would I go about creating a [quote=“epic.network, post:2, topic:417469”]
self-referential rule for both IPv4 and IPv6 for the MainWP dashboard
[/quote]?

It doesn’t appear that I’ve ever set up restoring original visitor IPs on my servers. They are NGINX based and it does not look like http_realip_module or realip_module are installed.

I guess my next step would be to figure out how to install them (the hard bit) and then follow some instructions to add Cloudflare IP addresses for each server.

Until I created the allow rule for the MainWP dashboard, I could see an event in the Cloudflare firewall logs, but not now.

Have been trying with restoring visitor IPs; easier than I expected as nginx -V shows --with-http_realip_module so it is configured. But I still cannot connect.

My MainWP instance (call it mwp) is proxied. If I do a Sync Data in mwp

  • for a site that IS NOT proxied and restoring original visitor IPs has not been set up, the access log shows the real ip address of mwp anyway.

  • for a site that IS proxied and restoring original visitor IPs has not been set up, the access log does not show any connection attempt. Nothing appears in Cloudflare either.

Added real_ip_header CF-Connecting-IP; to http section of nginx config file and restarted nginx.

  • Site not proxied no change
  • Site proxied no change in access log and also no activity in Cloudflare Security Overview

This is as far as I’ve got.

Would still be interested to know

  • how to create a self-referential rule
  • how to view the actual headers that are being sent when they are sent from mwp in this way.

It’s nothing more than adding MainWP’s own IPs in the Cloudflare WAF IP Access Rules.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.