New local SQL Server, repeting forbidden Access

We received a new server on April 19th, on which a worker runs every 2 minutes to synchronize with the webshop to retrieve orders and upload items.

Error, April 26th ~ 8:50 AM: Suddenly, from one minute to the next, the worker could no longer access the webshop, error message (Forbidden). The issue was resolved around 7:30 PM.

Error, May 3rd ~ 8:00 PM: Shop access was blocked. The error was noticed on Saturday and was fixed around 12:30 PM.

Error, May 10th ~ 1:00 PM: Shop access was blocked. By now, I have identified that the synchronization works again if we deactivate Cloudflare, perform a manual sync with the shop, reactivate Cloudflare, and then start the worker.

Do you have any idea what could be causing this behavior? It seems to be obviously related to Cloudflare and the server.

Kind regards

Hi,

Cloudflare is a HTTP/S proxy by default for proxying this protocol traffic on certain ports, referenced here.

Cloudflare would not be able to proxy SQL database traffic over other ports, so it could be that if you are using a hostname for your zone that is proxied to connect to for this sync - it may not be able to connect through Cloudflare. You should ensure any hostname you are connecting too, is not proxied through Cloudflare by making sure the DNS record you use is set in DNS-only (grey-clouded) - Proxy status · Cloudflare DNS docs

This is the most likely cause, but it could be something else, but unfortunately the log information does not provide any clues or errors that help us understand where the problem may lie.

1 Like

Hey there Damian

thank you for the fast reply, i kinda struggle to find the spectrum or application creation tab. Can you help me finding it?

We’re using a static IP adress for our server, so i created now a WAF rule to forward everything incoming from this IP, would this help. I have also put the IP adress of the website into the “hosts” file under windows/system32… hopefully this will prevend, that the server is connecting through Cloudflare, or at least will be direced through it. Or is there anything i missed?

Hi,

The spectrum you would need is only available on the Enterprise plan as an additional subscription, if you are interested in this you would need to reach out to Cloudflare’s sales team.

The WAF will not be able to impact this, if it is what we suspect about not proxying this database traffic - because the WAF is running on HTTP/S layer 7 requests.

I have also put the IP adress of the website into the “hosts” file under windows/system32… hopefully this will prevend, that the server is connecting through Cloudflare, or at least will be direced through it.

This is a good approach, if you’re updating the client host that is connecting to your SQL server and pointing the host file to the origin IP of the SQL server - then this should work. You can confirm by pinging the hostname that you are connecting too to make sure it resolves to the origin IP, and not a Cloudflare IP address.

1 Like

Hmm ok,

the problem, with this is, that i already switched the host file settings last week, and after that it occured again. I attached a tracert route from the server to kutami.de. Could you please take a closer look at it. For me it looks like it’s going directly to the server without going through Cloudflare services.

How did you arrive at that conclusion? The last two IPs in your traceroute are allocated to Cloudflare.

NetRange:       172.64.0.0 - 172.71.255.255
CIDR:           172.64.0.0/13
NetName:        CLOUDFLARENET
NetHandle:      NET-172-64-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
2 Likes

ohh man… you are right, i’m stupid, changed it now to the right one, now it solves the domain to

116.202.167.197

hopefully this will help.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.