Whitelisting CloudFlare
Whitelisting CloudFlare
Ideally this woudl be more restrictive, but I don't know any other way accomplishing this besides whitelisting all cloudflare IPs.
I now get a [urlhttp://www.atomicorp.com/wiki/index.php/Vuln_o ... t-critical]critical warning[/url] for doing so. While I understand the necessity for this warning, how do I disable it?
Suggestions how to make the whitelist less permissive are also welcome.
Thanks
I now get a [urlhttp://www.atomicorp.com/wiki/index.php/Vuln_o ... t-critical]critical warning[/url] for doing so. While I understand the necessity for this warning, how do I disable it?
Suggestions how to make the whitelist less permissive are also welcome.
Thanks
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Whitelisting CloudFlare
If I understand you correctly, make sure you install the cloudflare module, from cloudflare, that will pass on the real IP address of the client. If you have that installed, ASL won't block the cloudflare proxies in that case, as it will only see the real IP passed on from CF. So you shouldnt have to whitelist anything.
Be careful to not enable the WAF whitelisting rules though if you do whitelist CFs proxies. If you do this, the WAF will ignore all attacks that pass thru the CF proxies.
Be careful to not enable the WAF whitelisting rules though if you do whitelist CFs proxies. If you do this, the WAF will ignore all attacks that pass thru the CF proxies.
You can not disable this warning.I now get a critical warning for doing so. While I understand the necessity for this warning, how do I disable it?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Whitelisting CloudFlare
Cloudflare is enabled via the W3TC Wordpress Plugin and mod_cloudflare is not installed. The plugin allows for the real IP to be seen at wordpress, but not server level. I will be installing mod_cloudflare.mikeshinn wrote:If I understand you correctly, make sure you install the cloudflare module, from cloudflare, that will pass on the real IP address of the client. If you have that installed, ASL won't block the cloudflare proxies in that case, as it will only see the real IP passed on from CF. So you shouldnt have to whitelist anything.
Be careful to not enable the WAF whitelisting rules though if you do whitelist CFs proxies. If you do this, the WAF will ignore all attacks that pass thru the CF proxies.
You can not disable this warning.I now get a critical warning for doing so. While I understand the necessity for this warning, how do I disable it?
PS: I also had to disable a WAF rule (391213) for the vhost in question.
Thanks!
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
Re: Whitelisting CloudFlare
Whats the proper place to put new modules (mod_cloudflare) in?
/var/asl/usr/lib64/httpd/modules/ or /usr/lib64/httpd/modules/
Thanks
/var/asl/usr/lib64/httpd/modules/ or /usr/lib64/httpd/modules/
Thanks
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Whitelisting CloudFlare
We do not recommend you do that. That rule prevents an attacker from using a content type that the WAF does not understand. Disabling that rule will allow an attack to obfuscate an attack that the WAF will not detect.PS: I also had to disable a WAF rule (391213) for the vhost in question.
If you believe that is content type that should be understood, please submit a false positive.
ASL does not require modification to work with CF, so do not modify or add anything in the /var/asl/usr/lib64/httpd/modules/ directory, only the systems Apache server will need that module. You will need to ask CF how to install their module, as you will need one compiled for the version of Apache you have installed.Whats the proper place to put new modules (mod_cloudflare) in?
/var/asl/usr/lib64/httpd/modules/ or /usr/lib64/httpd/modules/
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Whitelisting CloudFlare
Is the fact that a cloudflare IP repeatedly makes a request that triggers that rule enough to consider it is a false positive?mikeshinn wrote:We do not recommend you do that. That rule prevents an attacker from using a content type that the WAF does not understand. Disabling that rule will allow an attack to obfuscate an attack that the WAF will not detect.PS: I also had to disable a WAF rule (391213) for the vhost in question.
If you believe that is content type that should be understood, please submit a false positive.
[modsecurity] [client 173.245.51.101] [domain www.mydomain.org] [403] [/20120905/20120905-1853/20120905-185310-UEeflrhfIMMAAArwTtYAAAAJ] [file "/etc/httpd/modsecurity.d/01_asl_content.conf"] [line "51"] [id "391213"] [msg "Atomicorp.com WAF Rules: Request content type is not allowed by policy"] [data "application/json"] [severity "WARNING"] Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required.
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Whitelisting CloudFlare
Yep, submit it as an FP so we can see what its doing (an FP report from the gui sends us the full payload).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Whitelisting CloudFlare
Done. Thanks.mikeshinn wrote:Yep, submit it as an FP so we can see what its doing (an FP report from the gui sends us the full payload).
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Whitelisting CloudFlare
And rule update now available.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Whitelisting CloudFlare
Thanks. I also submitted another report for 340165 in the same situation (though it only occurred once)mikeshinn wrote:And rule update now available.
asl -u got me a "GC Warning: Repeated allocation of very large block (appr. size 16781312): May lead to memory leak and poor performance."
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Whitelisting CloudFlare
That one was a real attack on your system. So definitely dont disable that rule, that was a PHP CGI attack on your system, which ASL blocked.Thanks. I also submitted another report for 340165 in the same situation (though it only occurred once)
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Whitelisting CloudFlare
I know this is an old thread, but I wanted to add something that might be helpful.
Even with mod_cloudflare installed, CloudFlare says that their IPs should be whitelisted. Yes, mod_cloudflare will pass the source IPs, but only after mod_cloudflare is invoked for this purpose. The firewall is in front of this, so the firewall should be presented with the CloudFlare IPs...not the source IPs. Therefore, a lot of CloudFlare traffic could trigger rate limits and such.
So, the best we can figure is to whitelist all zillion CloudFlare IPs...and, as Atomicorp pointed out earlier, in this case you should NOT activate the Whitelist ruleset.
I hope this helps!
Even with mod_cloudflare installed, CloudFlare says that their IPs should be whitelisted. Yes, mod_cloudflare will pass the source IPs, but only after mod_cloudflare is invoked for this purpose. The firewall is in front of this, so the firewall should be presented with the CloudFlare IPs...not the source IPs. Therefore, a lot of CloudFlare traffic could trigger rate limits and such.
So, the best we can figure is to whitelist all zillion CloudFlare IPs...and, as Atomicorp pointed out earlier, in this case you should NOT activate the Whitelist ruleset.
I hope this helps!
Re: Whitelisting CloudFlare
Mike Shinn confirms this?markb1439 wrote:I know this is an old thread, but I wanted to add something that might be helpful.
Even with mod_cloudflare installed, CloudFlare says that their IPs should be whitelisted. Yes, mod_cloudflare will pass the source IPs, but only after mod_cloudflare is invoked for this purpose. The firewall is in front of this, so the firewall should be presented with the CloudFlare IPs...not the source IPs. Therefore, a lot of CloudFlare traffic could trigger rate limits and such.
So, the best we can figure is to whitelist all zillion CloudFlare IPs...and, as Atomicorp pointed out earlier, in this case you should NOT activate the Whitelist ruleset.
I hope this helps!
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Whitelisting CloudFlare
If you're going to whitelist a CDN, yes do not enable the whitelist ruleset for the WAF
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: Whitelisting CloudFlare
I go up this topic because I am facing the same problem: that ASL blocks IPs of the CDN (tested with cloudflare and maxcdn).
The indicated solution is to list the IPs in the whitelist. but is it safe to include several hundred IPs in the whtelist?
Does not have there a different way to do?
The indicated solution is to list the IPs in the whitelist. but is it safe to include several hundred IPs in the whtelist?
Does not have there a different way to do?