Magento 2.4.7 - Stop Cloudflare from Blocking Admin processes for me

What is the name of the domain?

dvineinspiration.com

What is the error message?

Managed Challenge - /static/version17abc02524/adminhtml/Magento/backend/en_US/fonts/opensans/semibold/opensans-600.woff

What is the issue you’re encountering

Hello. My site has been under constant attack. So, my hosting support suggested that I use Cloudflare. I currently have “under attack” mode enabled which is helping but continues to block functions of the admin panel. For example it is presenting the managed challenge for fonts used and blocking the function because this is something that Magento does “behind the scenes”. So, I need help setting this up properly and also I need to: turn off all Cloudflare caching for dynamic content, keeping only static files such as CSS, JS, JPG, PNG, etc. because I am using Litemage. Any and all help is apprecited. I don’t mind if you explain as if you’re talking to a 2 year old :slight_smile: Thanks in advance!

What steps have you taken to resolve the issue?

Excluded the admin via ip address, user agent and asn from being blocked by security challenge.

What are the steps to reproduce the issue?

Whenever I am in the admin of my site.

Hi there,

Generally speaking, leaving “Under Attack mode” enabled is not a good idea.
Don’t get me wrong, it’s a great feature to apply on the spot when you’re being attacked and it’s hitting your origin, but only while you figure out how to mitigate the attack, after that Under Attack should ideally be disabled.

Having said this here are my suggestions for you:

  • Setting the challenge passage for 1 day it’s too much in my opinion. The challenge passage duration controls the validity of the clearance cookie that is issued when you complete a challenge, setting it to 1 day, means that an attacker could potentially make a single challenge manually and then export the cookie to their bot and not be challenged for 24h.
  • Rate limiting rules are a good failsafe. Having a RL rule with a realistic rate to block attackers (or maybe 20~50% above a realistic rate), is an excellent failsafe, in case the attackers are not caught by any other security measure. Example rule:


The rule above will block anyone doing more than 20 requests in 10 seconds, except for verified bots. - Adjust it to your own use case.

Other than that, for your plan type, there’s not much else that can be applied.

As for the caching question, by default Cloudflare only caches static content:

You can still create cache rule to avoid caching content you don’t want cached or force caching content that is not cached by default. For instance, taking you example extensions, let’s imagine I want the entire website not to be cached, except for the extensions “CSS”, “JS”, “JPG” and PNG".
I would then create 2 rules.
1:


2:

The 1st rule will simply dictate that anything within the hostname “dvineinspiration.com” will not be cached (but anything in other subdomains will still follow the overall configuration).
The 2nd rule will cache any URI ending in those extensions.
Because cache rules are stackable, this will bean that both rules will be applied, and as long as the cache rule is bellow the non cache rule, only those extensions will be cached for the hostname.

Related:

Take care.

Hello and thank you for responding. I changed the challenge as suggested and turned off “under attack” mode. I tried the rate limiting rule & it blocks Magento functions also. So, I can’t use it. I couldn’t try the second rule as I couldn’t find in the dashboard where the settings would allow me to choose the options that you have shown. Each time I selected "All incoming requests’ the field , Operator an value inputs boxes would disappear. So, I’m unable to try that one. I also use PHPlist for sending email campaigns - guess what? Cloudflare is blocking that also. I had to disable the site on Cloudflare in order to send the campaign. I really would like to use Cloudflare but I just don’t know how to get it set up to use with Magento properly. So, thanks for your help but looks like I’m going to have to switch a hosting company with better security measures in place.