I’ve run into an issue where my on-site brute force protection appears to be blocking Cloudflare traffic. Essentially, I have the security set to automatically block IP addresses that attempt a brute force attack on the login page; however, because I have the site on Cloudflare’s CDN this means it’s blocking some of Cloudflare’s IP addresses. Is there a way I can use page rules to either bypass the CDN or otherwise let my site view the visitor’s true IP address on certain URLs?
For example, can I use a page rule to see the visitor’s IP address on mydomain.com/admin instead of the IP address coming from Cloudflare?
I found this topic: Bypass Cloudflare for part of a URL that states you can’t bypass the CDN for specific URL strings, but I’m hoping there’s another way to accomplish what I need using page rules. I’ve tried setting page rules to bypass caching, disable security, disable performance, disable all apps, etc. for the desired URL string, but when I check my visitor logs it’s still coming through with the Cloudflare IP addresses.
Any help would be very appreciated - thank you!