Half a year ago I configured a new WEB site (static HTML) hosted by Cloudflare pages and accessible via Cloudflare Universal SSL (no other third-party SSL certificates are in use).
My Cloudflare pages do not have resources started with “.” (dot), so I blocked “/.env/”-like crawlers in WAF rules: ( http.request.uri.path contains “/.” )
About a week ago I noticed hundreds of similar requests from Cloudflare AS132892 with /.well-known/acme-challenge/" in URI path blocked by the WAF filter:
- IP address: 2a06:98c0:360c:7e70:859c:cc24:XXXX:XXXX
- ASN: AS132892 CLOUDFLARE Cloudflare, Inc.
- Country: United States User agent: bushbaby/2023.11.9
- HTTP Version: HTTP/1.1
- Method: GET
- Path: /.well-known/acme-challenge/2d9gwoqq9zC_tK7MEWXXXXXXXXXXCoFLqQrtPZOI
- Query string: Empty query string
Is this traffic legit? Should I bypass my WAF filter for all traffic from Cloudflare AS like ( http.request.uri.path contains “/.” and ip.geoip.asnum ne 132892 ) ?
I’m pretty sure that traffic is legitimate, as Pages handles the
.well-known for certs. I’ll ask around for confirmation but for a rule you could do an allow rule like
http.request.uri.path contains “/.well-known/acme-challenge.” and http.user-agent contains “bushbaby” and
Heard back, this is highly likely that Cloudflare is trying to renew the certificate for your site. If it fails, then your site will end up using an expired certificate. Allowing the user agent of bushbaby to the well known path should prevent that from happening. You can also lock down further to Cloudflare’s ASN.
Looks like just white listing Cloudflare ASN is not enough. There were also similar
/.well-known/acme-challenge/ requests from these two networks:
- AS13649, ASN-FLEXENTIAL, User agent: Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)
- AS16509, AMAZON-02, User agent: Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)
So I had to modify my blocking filter this way:
( http.request.uri.path contains "/." and not http.request.uri.path contains "/.well-known/acme-challenge/" )
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
Hey @Artem.from.UA, that is correct. This way, you’ll still block potentially malicious requests while allowing the ACME challenge requests to go through for SSL verification purposes.
(http.request.uri.path contains "/." and not http.request.uri.path contains "/.well-known/acme-challenge/")