Uploading php (and some other) files are blocked due to Cloudflare, even with security disabled with page rules

We use Cloudflare as load balancer for our servers, which we allow users to upload files to.
We’ve noticed that some files trigger Cloudflare to block the request with:

`This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.`

However we disabled security & performance for the subdomain the load balancer uses, but Cloudfllare still blocks these file uploads.

is there no way round this?

N.B - we cannot bypass Cloudflare altogether as the load balancer requires the “orange cloud” in order for sticky session to work.

Did you check the firewall events?

yes it seems like nothing is showing…

I also tried using the firewall rules to “bypass” or “allow” on that specific hostname, but still CF blocks any post requests with a .php file as the payload

if I disable the “Web Application Firewall” altogether in the Firewall tab, the uploads work fine. it seems like there’s no way to have it enabled, but bypass for specific URLs or hosts?

Can you show us the detailed log of the blocked request?

And then you mentioned this, can you show us your firewall rule which bypasses the WAF Managed Rules?

so here’s what I tried to bypass it, neither works: (host names redacted, but assume it is: subdomain.domain.com/* )

when it fails, there doesn’t “seem” to be any log entry at all in CF for it, which is odd.
but my end, I just see this:

Please enable cookies.

Sorry, you have been blocked

You are unable to access [HOST_HIDDEN]

Why have I been blocked?

This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?

You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Cloudflare Ray ID: 625ecd54dd311704 • Your IP: 162.158.165.251 • Performance & security by Cloudflare

I just realised I can filter events by ray id… and now I see the block event, I also see the host is defined as the target server, NOT the load balancer hostname, which probably explain why my bypass rules aren’t working(!)

I’ll update the rules now to wildcard the subdomain (as all target servers are subdomains) and see if that fixes it.

UPDATE
That worked :slight_smile: I never realised you could filter events by Ray ID, I have never seen that in the dropdown before in firewall events, so I assumed it was a Cloudflare internal logging tool.

Thanks @erictung

2 Likes