File Manager Blocked by Cloudflare
-
Hello,
Is anyone else having issues where Cloudflare blocks the opening of certain files from within the File Manager? Specifically, it seems to be blocking opening wp-config.php (WordPress Developer).Ruleset: Cloudflare Managed Log4J Ruleset
Rule: Wordpress - Broken Access Control, File InclusionWe are on the free plan and it seems to be managed rules. I've attempted to add an exclusion rule, but this still seems to be happening.
Thank you!
-
@girish said in File Manager Blocked by Cloudflare:
Don't really know much about the Cloudflare rules but just want to check if you have asked Cloudflare already? I couldn't find any info or docs on those ruleset/rule .
Yes, they basically said that I'd need to whitelist the IP Address, but that doesn't seem to be working. I'm also wondering if it's because I'm on the free plan.
I've tried various exclusion rules, but there seems to be no change.
-
@JLX89 I can't really reproduce this. I put the dashboard in Cloudflare proxy mode and filemanager works just fine for me.
Do you have some custom WAF rules ? My WAF had no rules. I also use Full (Strict) SSL , not sure if that matters. You can change this in SSL -> Overview in Cloudflare.
-
@girish said in File Manager Blocked by Cloudflare:
@JLX89 I can't really reproduce this. I put the dashboard in Cloudflare proxy mode and filemanager works just fine for me.
Do you have some custom WAF rules ? My WAF had no rules. I also use Full (Strict) SSL , not sure if that matters. You can change this in SSL -> Overview in Cloudflare.
Thanks for following up! No, no custom WAF rules turned on and I seem to have the same settings you mentioned. The only thing I'm seeing is "Managed rules" for the block and the following URL showing:
/api/v1/apps/{APP-ID}/files/public/wp-config.phpIt only seems to be happening when I attempt to edit "wp-config.php" from the file manager -- nothing else.
The full json log is:
{ "action": "block", "clientASNDescription": "[REMOVED]", "clientAsn": "[REMOVED]", "clientCountryName": "US", "clientIP": "[REMOVED]", "clientRequestHTTPHost": "my.cloudron.tld", "clientRequestHTTPMethodName": "GET", "clientRequestHTTPProtocol": "HTTP/3", "clientRequestPath": "/api/v1/apps/{APP-ID}}/files/public/wp-config.php", "clientRequestQuery": "", "datetime": "2023-04-20T22:54:30Z", "rayName": "7bb0f82d9b63387c", "ruleId": "9ce4e284ff2a486aaa37d642bff5a079", "rulesetId": "77454fe2d30c4220b5701f6fdfb893ba", "source": "firewallManaged", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "matchIndex": 0, "metadata": [ { "key": "ruleset_version", "value": "50" }, { "key": "version", "value": "32" }, { "key": "type", "value": "customer" } ], "sampleInterval": 1 }Thank you!
-
@girish So I actually seemed to have gotten this fixed, but still can't explain why that rule is blocking traffic. I'm actually not sure to what extend Cloudflare publishes information about the rules, so they're not circumvented.
So essentially I just "jiggled the handle" and flipped proxying on and off and did the same with the "Custom Firewall Rule" I created and it started working.
The expression for anyone else that seems to be having this issue is:
(http.request.uri.path eq "/api" and http.request.method eq "GET" and http.host eq "my.cloudron.tld" and ip.src eq {YOUR-IP-ADDRESS}) -
J JLX89 has marked this topic as solved on
-
This seems to be popping up again since the upgrade to Cloudron v7.5.0 with the updates to the file manager. It seems Cloudflare is back at it and blocking viewing / editing wp-config.php via the File Manager. Instead of seeing the default Cloudflare block page, it now seems to be showing within the file manager with the html/css of the Cloudflare Block Page.
Does anyone have any further thoughts on this?
-
@girish Thanks for following up with me on this! Yes, I've attempted to adjust the rules in place that worked previously but they're not working. I know that Cloudflare updated their Rules engine and have setup another test rule with some variations, still no luck.
The following is the excerpt from the Cloudflare log:
Ruleset: Cloudflare Managed Log4J Ruleset
Rule: Wordpress - Broken Access Control, File Inclusion{
"action": "block",
"clientRequestHTTPMethodName": "GET",
"clientRequestHTTPProtocol": "HTTP/3",
"clientRequestPath": "/api/v1/apps/[app-id]/files/public/wp-config.php",
"clientRequestQuery": "?access_token=[access-token]",
"datetime": "2023-07-05T18:59:18Z",
"rayName": "7e21d82a9e5b2419",
"ruleId": "9ce4e284ff2a486aaa37d642bff5a079",
"rulesetId": "77454fe2d30c4220b5701f6fdfb893ba",
"source": "firewallManaged",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"matchIndex": 0,
"metadata": [
{
"key": "ruleset_version",
"value": "51"
},
{
"key": "version",
"value": "33"
},
{
"key": "type",
"value": "customer"
}
],
"sampleInterval": 1
} -
Alright, I've got another update and seemed to have reworked things so this is fixed. I've removed all of the old rules and created a new one under WAF Rules using the following:
(http.host eq "https://my.cloudron.tld" and ip.src eq 127.0.0.1 and http.request.uri.path contains "/filemanager/") or (http.request.uri.path contains "/api/v1/apps")
- Then take action: Skip
- Log matching requests: turned on
- WAF components to skip: All managed rules
- More components to skip: Managed rules (previous versions)
Note: Edit the items in bold to reflect your Cloudron Domain and your IP Address.
