Reputation: 270
My Cloudflare firewall rule are blocking request from Github. I need bypass a custom URL
I have a Cloudflare Firewall Rule that Blocks ASN from different companies (Amazon, Microsoft etc) to prevent attacks from VPS.
(ip.geoip.asnum eq 14618) or (ip.geoip.asnum eq 8075) or (ip.geoip.asnum eq 16276) or (ip.geoip.asnum eq 16509) or (ip.geoip.asnum eq 14061) or (ip.geoip.asnum eq 62567) or (ip.geoip.asnum eq 51167) or (ip.geoip.asnum eq 56617) or (ip.geoip.asnum eq 6188) or (ip.geoip.asnum eq 40819)
The problem is that when I run an Actions on my Github repository, Cloudflare is denying it access to my API URL (Due to the rule I already said, since Github uses Microsoft services). And I need to get a HTTP 200 code in response from my API URL, but since it is blocking the request, I only get a HTTP 403 code. (Which cloudflare shows as access denied, error 1020)
I tried to create another Firewall rule to bypass specific URLs of my site, example: https://example.com?api=secretID
(http.request.full_uri eq "https://example.com?api=secretID1" and http.request.full_uri eq "https://example.com?api=secretID2" and http.request.full_uri eq "https://example.com?api=secretID3" and http.request.full_uri eq "https://example.com?api=secretID4")
But it doesn't work and the requests are still blocked by the first rule, what can I do?
I don't want to disable the main rule because it puts my site at risk.
As you can see I have more than 900 attacks per day.
EDIT:
My github action makes 3 GET request per link. And I have 4 Links (1 main domain and other 3 subdomains registered as CNAME:
https://example.com/en.php?datazo=secretID
https://sub1.example.com/en.php?datazo=secretID1
https://sub2.example.com/en.php?datazo=secretID2
https://sub3.example.com/en.php?datazo=secretID3
And this is the log from Cloudflare:
Inside log: (I used the https://example.com/en.php?datazo=secretID example)
RULE "BYPASSING":
Upvotes: 0
Views: 1409
Answers (2)
Reputation: 270
After a few days and responses from cloudflare support, my solution was this: Change to "Allow" my "bypassing" rule, since requests that match my filter, will not trigger the rest of firewall rules.
The problem is that "Bypass" was limited exclusively to block what was seen in the screenshot. But it allowed the rest of the rules (including the one blocking ASNs) to be executed.
Upvotes: 0
Reputation: 189
Your rule says
(http.request.full_uri eq "https://example.com?api=secretID1" and http.request.full_uri eq "https://example.com?api=secretID2" and http.request.full_uri eq "https://example.com?api=secretID3" and http.request.full_uri eq "https://example.com?api=secretID4")
This would never be true as your URL can never be equal to more than 1 value at any given time.
Maybe change the and to or
or instead of eq use contains or even better
http.request.uri.query eq or
http.request.uri.query contains
Upvotes: 1
Related Questions
- Mixed content error when using github pages with custom domain
- How to fix ERR_TOO_MANY_REDIRECTS on custom github pages domain?
- Cloudflare API enable firewall rule via curl
- URL only resolving with TOR Browser otherwise error ERR_NAME_NOT_RESOLVED
- Cloudflare URL forwarding specific urls
- Custom domain "403 Forbidden" using Github Pages
- Can't read data from url due to cloudflare
- Cloudflare CNAME Error 1014 Cross-User Banned
- Cloudflare SSL not working on Github page
- How to access Github through firewall playing man-in-the-middle when using https?