WAF whitelist rules ignored
My server is getting rejected by CF firewall after I added the IP address to my WAF whitelist:
"EU < ?xml version="1.0" encoding= "UTF-8"?>
< response> <return_code> 107</return_code›<return_message>A request was blocked by the firewall 'Cloudflare', please add IP 104.26.7.23 to the whitelist.</return_message><result></results</response>"
12 Replies
That doesn't look like a standard Cloudflare Block Page, they should look like this:
You're right, but this isn't going over http, I think it's probably json using an API or maybe sFTP?
If it is FTP, then it would be using Spectrum, which isn't covered by the WAF.
The WAF only handles HTTP(S)
Thanks for letting me know. I've never heard of spectrum and never had any issues with SSH/SFTP previously but it's likely the 3rd party issues are using UDP to access APIs or Webhooks so may need this but I can't find it on my dashboard as suggested in https://developers.cloudflare.com/spectrum/get-started/
Cloudflare Docs
Get started · Cloudflare Spectrum docs
Spectrum is available on all paid plans. Pro and Business support selected protocols only, whereas Enterprise supports all TCP and UDP based traffic. …
I assume spectrum remains optional and that new new legacy woo API may explain the appearence of blocking?
WOO API?
Luminus Alabi
WooCommerce
WooCommerce REST API
The WooCommerce REST API is a powerful tool for connecting your WooCommerce shop to external systems and resources. Unless you’re a developer, in most cases the integration you’re working with will only require you to generate API keys for you to enter in their system, and you’ll be connected to the external service! This document […]
Not sure I understand. No matter what, if your service isn't using HTTP(S)/WS(S) and attempts to connect through Cloudflare, then you need Spectrum
Sorry for the confusion; I overlooked the fact that REST API works over HTTPS as can be seen using https://web.postman.co but the error messages shown by https://app2.dhlexpresscommerce.com/settings/SettingsAccountingSoftware are limited to 'failed', success or Unsuccessful - {"code":"woocommerce_rest_cannot_view","message":"Sorry, you cannot list resources.","data":{"status":401}}
The last error promprted me to check 'BOT fight mode'. Turning this OFF allowed the communication to succeed after weeks of scratching my head and adding the IP addresses to the white list, so I blame CF for blocking legitimate traffic with valid keys and DHL for masking the error messages
Why does 'BOT flight mode' block legitimate, while-listed traffic connecting with valid REST API keys?
BFM can’t really be configured, it is either on or off
For something configurable, I would use custom WAF rules, or SuperBotFightMode(Paid Plan)
Yes I did whitelist the relevevent IP addresses in WAF to no avail 😦
I guess I need to pay for BFM to enable reasonable behaviour?
A paid plan on your zone should give you access to SBFM, or you can disable BFM and write some WAF rules manually?