Man in the Middle

My company - eSafe Global Ltd provides monitoring solutions for schools & colleagues. We monitor all browser activity & use a locally installed client that runs as a Man in the Middle. We are getting reports that sites using our solution are getting error messages when trying to use that use Cloudflare.

Having investigated it looks like that Cloudflare is recognising our client as a MitM & generating an error / warning message.

How do we resolve this or can our software be added to an exception list?.

What error messages are they displaying?

I’m not aware that CF take any specific action against MITM proxies (but given that they call it Monster in the Middle you can get an idea on how they are viewed.)

There is a Cloudflare project to collect signatures for such proxies, so you should read the blog and perhaps submit a signature.

1 Like

Hi,
Thanks for the response

Sometimes there are no errors as such just a spinning cursor or the page times out. When an error is displayed in the browser it is a Error 1020 - Accessed denied.

Also, on the sites that do not get an error message we often see a 403 error under Developer Tools > Network

As mentioned previously our software is in installed on the device & acts as a MitM performing SSL inspection including cert replacement.

When it’s a 1020, your client should be able to look at their Firewall Events Log to see what rule blocked access.

1 Like

Hi, Apologies if I was not clear. The sites loads OK (going via their firewall/proxy) until we enable our client on the local device. Do you still need the edge of network Firewall logs checking?.

Yes, if the 1020 is a concern, the Firewall Event log should show you why it was blocked. It may provide a clue as to why the other errors/warnings are appearing.

Thanks for the update, I will contact the customer

1 Like

HI, the site is not using a proxy server, the connection is direct (no proxy or filtering). Our logs do not show any warnings as the message is not generated by our client.

I am speculating that Cloudflare is detecting our client as a MitM & blocking/generating a message for security reasons.
If we whitelist the site in our client (no SSL inspection occurs) the web site loads as expected, however, as we provide a comprehensive monitoring solution for the purposes of Safeguarding & monitoring wellbeing we cannot just keep adding each affected site to a whitelist, apart from the time taken to do so it reduces our monitoring capabilities.

As such I am looking for a way for Cloudflare to “recognise” our client as a good application & allow access to the sites affected.

I suggest you open a support ticket so they can inspect the connections to see why they’re being blocked.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help resolve your issue, reply and indicate that you still require assistance. And, please share your ticket number here so that we can track it.

It would probably help if you set up a test domain on Cloudflare that you control, and then you will see what rules are being triggered. I’m curious how you initiate the outbound TLS connection. Do you emulate the HELO from the client, or make a new connection with a different client capability?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.