This tutorial covers the message ‘Sorry, you have been blocked’ which can show to visitors of a Cloudflare website.
This covers pages that look like:
and are generally caused by Cloudflare’s WAF being triggered. The WAF is only available on paid plans, so this message is not generally seen when visiting sites on the free plan.
If your visitors do see this on a free plan site, it is probably due to rules active to protect against specific vulnerabilities, as explained in this blog post, the rules listed there are not the only ones that may be triggered on a free site.
Gather information about the error:
Approximate time of the block
RayID of the connection (visible at the bottom of the blocked page)
IP address of the blocked user (visible at the bottom of the blocked page)
Find the corresponding entry in the firewall events log:
Go to the Firewall Events Log in your Cloudflare dashboard.
The events list is ordered by time with the latest first, by default. You can also use the filter options to filter by visitor IP address or connection RayID to help find the event more easily.
Once you have found the corresponding entry, click it to expand your view of the event.
Work out what rule caused the block:
In the box highlighted above you can see the Rule ID, Rule message and Rule Group.
Start by looking at the group, and go to the tab under Firewall.
Find, here, the group mentioned, in the example above, ‘Cloudflare Specials’ and click that. You can then find the specific rule triggered, in the example:
You can then choose whether to change the mode to minimise impact on your site/visitors. You may want to change this to ‘challenge’, if your default is set to block, rather than disabling it.