Waf and Rules Not Working

Hello; Although I have blocked all requests except Turkey in both the waf and rules section for the 2 domains I have chosen, and in addition, although I have blocked the ASN list, these requests still continue to come to my website. Although I have tried many methods, these requests can still come. For example, just now, this ip " 172.105.128.12 " from the US coded country, that is, America, accessed my website. Why is it not blocked, why is it not happening, what is the problem and what is the solution? If it cannot block this, there is no purpose for me to use cloudflare. I was going to buy a paid membership, but this situation upset me. Waiting for a response…

Two recently added sites are blocking me as they should be, but I may not be checking the correct site. Can you share the name of the site where the ip you shared was allowed?

Hello.
I use 2 websites and both have the same rules, exactly the same. Before I wrote to you, the country titled NL and CL accessed my site. I had blocked all countries except Turkey and even blocked many operators as ASN.
A screenshot of my WAF rules is also below.

Url 1: yhtsefergoruntulerez.site
Url 2: panelimitakipethango.xyz


1 Like

Let me give you an example of the ip addresses that come to my site while writing a message. They should not be able to come from outside Turkey, but they can, I don’t understand.

Where do you see those IP addresses, are they on your server log? Make sure that your server only allows Cloudflare IP addresses to connect so that all requests must through Cloudflare so the WAF can be applied, and not made direct to your server (therefore bypassing Cloudflare).

I see these ip addresses in the ip tracking system on my server. Here is the ip address of my server: http://136.244.89.165/
And direct access is already blocked. When I try to access directly with IP, it does not come as a log to the ip tracking system because it is already blocked.
Here is the screenshot that proves it:

+1 to the comment from @sjr. If you’re seeing IPs in the ip tracking system of your server and not in https://dash.cloudflare.com/?to=/:account/:zone/security/events that means they are hitting your server directly and not through cloudflare. In your event log, I only see blocks for countries outside of Turkey and don’t see the access instance you are seeing in your server log.

Access to my website with IP address is blocked. So it’s almost impossible for them to come. How do I block traffic that comes through my IP Address? How do I block traffic that does not come through my domain name? While you were writing a message, a new ip address accessed. It came from 205.210.31.56 US.
Yes, if these records do not appear on the CF event side, the problem shows that they have direct access to my server. What should I do in Cloudflare for this? I am using Alma Linux 8 x64 WHM/Cpanel.

Is this your site?

I’m so confused. What should I do?

You need to restrict access to your server to only Cloudflare. Either by allowing only these IP addresses…

…or using Authenticated Origin Pull…

Will it work if I force SSL redirection? Where is this done in CF?

Requests to your IP address do not pass through Cloudflare so nothing can be done in Cloudflare to prevent that. You need to do what I suggested in my last post. (I’m in the UK, I can’t access through the domain name as I’m blocked by Cloudflare, but I can access using the IP address).

1 Like

I don’t fully understand the last thing you said. Can you let me know if there is an implemented example?

RewriteEngine On
RewriteCond %{HTTP_HOST} ^136.244.89.165 [NC]
RewriteRule ^(.*)$ - [R=403,L]

This is how I found a solution with the .htaccess file and I can no longer access it. Is it possible to bypass this?

I’m guessing this rule is in a .htaccess file in the public access folder of one (or more) of your domains. Even without looking at the rule itself (which has its own issues), the mere location means the rule will only kick in when coming in through the domain having this rule in its .htaccess file, and will have no effect when visiting via the IP address directly.

It seems you’re using a Vultr cloud vm for your cPanel/WHM server. What you need to do is configure your Vultr cloud firewall to block all wanted requests – but allow Cloudflare through as previously mentioned by @sjr – but note that Vultr already provides a “Cloudflare” traffic source to select, so you don’t need to worry about manually adding Cloudflare’s IP address ranges.