WAF bypassing traffic to the Server with a "Block" rule

I have an Apache Web server with deployed Django website that keeps getting requests that shown as WAF “blocked”.

I would be happy to receive any advice, thanks!

They’re different IPs though?

Your first one is blocking a Netherlands IP and the server logs is a different IP down as Spain.

image

This is Cloudflare IP, lol.

Then the access logs are pretty useless if you’re not restoring the original IPs - https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

3 Likes

Okay thanks! I’ll install the modules and update the discussion.

1 Like

You could also add the cf-ray header from the request into your log format - but restoring the original visitor IP is the best first step.

Ray IDs are the easiest to correlate with since they’re unqiue per request, even it’s the same request payload coming from the same IP.

1 Like

After installing the modules and analyzing the logs, I realized that Cloudflare simply determines IP geolocation differently. Manual blocking of course saved the situation. Thanks for the help!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.