Some URLS are blocked (403) by cloudflare without asking the origin

I have a very odd behaviour.
I have an image on my site which is blocked by cloudflare without asking the origin.
Funny enough we are using the same backend for different tlds and the image is available in some but in some not:
403:
https://www.thecasuallounge.se/cmsImage/name/lp1113_03.background.old
https://www.thecasuallounge.fr/cmsImage/name/lp1113_03.background.old

200
https://www.thecasuallounge.ch/cmsImage/name/lp1113_03.background.old

I don’t see anywhere in settings where I could possibly blocked it.

Here is an example link to a page which uses the blocked image:
https://www.thecasuallounge.se/aff/aff+cmpd+srs?utm_source=se_cmpd_srs&clickId=&utm_medium

(only on desktop, different image is shown on mobile).
any ideas or hints where to look or how to mitigate would be great!
thanks

Small update, we copied the same image under different name and it works so the example page works now. However the original image is still not accessable.

Did you check the firewall event logs of these sites? It should say why it was blocked.

Thanks for the hint, didn’t know where to search for it. It says:
Rule ID
100038A
Filter Exclude
Rule message
Information Disclosure - File Extension
Rule group Cloudflare Specials

I presume you are on a paid plan, right? This will be WAF then and seemingly a default rule which blocks requests for .old files. You’d need to disable that particular rule in this case.

Are the other domains on a paid plan as well?

1 Like

It’s on page 10 of “Cloudflare Specials”

1 Like

Yes. It is funny, that it works on the business plan and not on personal plan. I will rename the file, it doesn’t need to be named “.old”, an odd name for an image anyway. Thank you for the hints!

Yes, if renaming is an option I’d rather go for that. Otherwise disable the rule.

Though on the Business plan it should equally be blocked if WAF is enabled and you didn’t change the setting.

I checked the business plan and the rule is enabled there, but the image is still served. Maybe on business the WAF actually looks into the content?

Shouldn’t be the case. If it is enabled and WAF is enabled too (did you check?) it should actually get blocked. If not you might almost want to open a support ticket for support to check out what’s not working :slight_smile:

You are right as always. The rule was enabled, but I didn’t check that WAF was disabled.
Now the image is blocked in .ch as well.
Thank you very much for the support!

This post was flagged by the community and is temporarily hidden.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.