Zone lockdown suddenly stoppped working

I’m unsure what’s the reason behind this issue, my lockdown was working well but today I just sent over slack the URL that we have locked down and to my surprise, the content was displayed on the message (meaning the slack bot was able to view the content).
Upon checking without our business VPN I could see the locked content.

I’m locking a subdomain, my rule looks like the following:
.subdomain.domain/
subdomain.domain/*

It does not seem to take any effect, is there anything I’m doing wrong? The information in this subdomain is a bit critical for us as its for a brand new update that we do not want leaked

I just tried locking the “root” directory of the subdomain, more than 2 minutes have passed and any ip can still access the page.

I may consider that the lock is at least not working with subdomains, can anybody else confirm this?

Is it running on Cloudflare? Is the DNS response a Cloudflare IP?

Could it have been removed from the proxied records?

I was checking that just now, while site appears as “proxied” on Cloudflare, when resolving the subdomain I get my backend IP.

We have been enabling and disabling the firewall as some rules kept giving us issues, we finally disabled the proxy for very short moments but was enabled back.

I think I’m going to try and enable-disable it as it could be a visual error on the dashboard

I don’t think it’s a visual error. Is the domain actually active on Cloudflare? Meaning: do all other subdomains resolve correctly? Are the name servers correctly set?

Also, you should firewall the origin to only Cloudflare IPs.

1 Like

I don’t think it’s a visual error. Is the domain actually active on Cloudflare? Meaning: do all other subdomains resolve correctly?
Yes they do.

Are the name servers correctly set?
Yes.

Also, you should firewall the origin to only Cloudflare IPs.
Note this is a development node, in production we have every ip that is not from cloudflare blacklisted, even for SSH.

I did the disable and re-enable steps I mentioned earlier and the domain is now working well, that was strange.

Glad it’s fixed.