Half a year ago I configured a new WEB site (static HTML) hosted by Cloudflare pages and accessible via Cloudflare Universal SSL (no other third-party SSL certificates are in use).
My Cloudflare pages do not have resources started with “.” (dot), so I blocked “/.env/”-like crawlers in WAF rules: ( http.request.uri.path contains “/.” )
About a week ago I noticed hundreds of similar requests from Cloudflare AS132892 with /.well-known/acme-challenge/" in URI path blocked by the WAF filter:
IP address: 2a06:98c0:360c:7e70:859c:cc24:XXXX:XXXX
ASN: AS132892 CLOUDFLARE Cloudflare, Inc.
Country: United States User agent: bushbaby/2023.11.9
Is this traffic legit? Should I bypass my WAF filter for all traffic from Cloudflare AS like ( http.request.uri.path contains “/.” and ip.geoip.asnum ne 132892 ) ?
I’m pretty sure that traffic is legitimate, as Pages handles the .well-known for certs. I’ll ask around for confirmation but for a rule you could do an allow rule like
http.request.uri.path contains “/.well-known/acme-challenge.” and http.user-agent contains “bushbaby” and
Heard back, this is highly likely that Cloudflare is trying to renew the certificate for your site. If it fails, then your site will end up using an expired certificate. Allowing the user agent of bushbaby to the well known path should prevent that from happening. You can also lock down further to Cloudflare’s ASN.
Hey @Artem.from.UA, that is correct. This way, you’ll still block potentially malicious requests while allowing the ACME challenge requests to go through for SSL verification purposes.
(http.request.uri.path contains "/." and not http.request.uri.path contains "/.well-known/acme-challenge/")