Rule to bypass WAF

Application Security Web Application Firewall
1

What is the name of the domain?

na

What is the error number?

na

What is the error message?

na

What is the issue you’re encountering

I use WHMCS and having issues with callback from api1.whmcs.com being blocked by cloudflare. I cannot just allow the IP as this can change, so I need to either allow api1.whmcs.com or exclude the URL /modules/gateways/callback/gocardless.php from WAF. The DOCS seem to be outdated, as everything mentioned there no longer seems to exist.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

2

Hello,

Are you following the documentation to create a custom WAF skip rule?

You can also be more selective on the rules you are skipping, if you check to see what is blocking your call.

You can search your security events by rayID to see what is causing the issue:

3

yes I have tried this, but there is no option to skip or disable WAF. All the docs I can find seem to be outdated and refer to sections or settings that do not exist.

I also do not know where to find this rayID or how to find the reason for the block. I only have a free plan, so maybe this doesn’t include logs.

these are the only options I have under skip.

WAF components to skip

All remaining custom rules

All rate limiting rules

All managed rules

All Super Bot Fight Mode Rules
More components to skip

Zone Lockdown

User Agent Blocking

Browser Integrity Check

Hotlink Protection

Security Level

Rate limiting rules (Previous version)

Managed rules (Previous version)

4

Go here to find the blocked request and the reason…
https://dash.cloudflare.com/?to=/:account/:zone/security/events

Then you can create a WAF custom rule to allow it. Post a screenshot of the blocked request detail if unsure.

5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.