Whitelisting CloudFlare

[gaia]

Ideally this woudl be more restrictive, but I don't know any other way accomplishing this besides whitelisting all cloudflare IPs.

I now get a [urlhttp://www.atomicorp.com/wiki/index.php/Vuln_o ... t-critical]critical warning[/url] for doing so. While I understand the necessity for this warning, how do I disable it?

Suggestions how to make the whitelist less permissive are also welcome.

Thanks

[mikeshinn]

If I understand you correctly, make sure you install the cloudflare module, from cloudflare, that will pass on the real IP address of the client. If you have that installed, ASL won't block the cloudflare proxies in that case, as it will only see the real IP passed on from CF. So you shouldnt have to whitelist anything.

Be careful to not enable the WAF whitelisting rules though if you do whitelist CFs proxies. If you do this, the WAF will ignore all attacks that pass thru the CF proxies.

I now get a critical warning for doing so. While I understand the necessity for this warning, how do I disable it?

You can not disable this warning.

[gaia]

If I understand you correctly, make sure you install the cloudflare module, from cloudflare, that will pass on the real IP address of the client. If you have that installed, ASL won't block the cloudflare proxies in that case, as it will only see the real IP passed on from CF. So you shouldnt have to whitelist anything.

Be careful to not enable the WAF whitelisting rules though if you do whitelist CFs proxies. If you do this, the WAF will ignore all attacks that pass thru the CF proxies.

I now get a critical warning for doing so. While I understand the necessity for this warning, how do I disable it?

You can not disable this warning.

Cloudflare is enabled via the W3TC Wordpress Plugin and mod_cloudflare is not installed. The plugin allows for the real IP to be seen at wordpress, but not server level. I will be installing mod_cloudflare.

PS: I also had to disable a WAF rule (391213) for the vhost in question.

Thanks!

[gaia]

Whats the proper place to put new modules (mod_cloudflare) in?

/var/asl/usr/lib64/httpd/modules/ or /usr/lib64/httpd/modules/

Thanks

[mikeshinn]

PS: I also had to disable a WAF rule (391213) for the vhost in question.

We do not recommend you do that. That rule prevents an attacker from using a content type that the WAF does not understand. Disabling that rule will allow an attack to obfuscate an attack that the WAF will not detect.

If you believe that is content type that should be understood, please submit a false positive.

Whats the proper place to put new modules (mod_cloudflare) in?

/var/asl/usr/lib64/httpd/modules/ or /usr/lib64/httpd/modules/

ASL does not require modification to work with CF, so do not modify or add anything in the /var/asl/usr/lib64/httpd/modules/ directory, only the systems Apache server will need that module. You will need to ask CF how to install their module, as you will need one compiled for the version of Apache you have installed.

[gaia]

PS: I also had to disable a WAF rule (391213) for the vhost in question.

We do not recommend you do that. That rule prevents an attacker from using a content type that the WAF does not understand. Disabling that rule will allow an attack to obfuscate an attack that the WAF will not detect.

If you believe that is content type that should be understood, please submit a false positive.

Is the fact that a cloudflare IP repeatedly makes a request that triggers that rule enough to consider it is a false positive?

[modsecurity] [client 173.245.51.101] [domain www.mydomain.org] [403] [/20120905/20120905-1853/20120905-185310-UEeflrhfIMMAAArwTtYAAAAJ] [file "/etc/httpd/modsecurity.d/01_asl_content.conf"] [line "51"] [id "391213"] [msg "Atomicorp.com WAF Rules: Request content type is not allowed by policy"] [data "application/json"] [severity "WARNING"] Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required.

[mikeshinn]

Yep, submit it as an FP so we can see what its doing (an FP report from the gui sends us the full payload).

[gaia]

Yep, submit it as an FP so we can see what its doing (an FP report from the gui sends us the full payload).

Done. Thanks.

[mikeshinn]

And rule update now available.

[gaia]

And rule update now available.

Thanks. I also submitted another report for 340165 in the same situation (though it only occurred once)

asl -u got me a "GC Warning: Repeated allocation of very large block (appr. size 16781312): May lead to memory leak and poor performance."

[mikeshinn]

Thanks. I also submitted another report for 340165 in the same situation (though it only occurred once)

That one was a real attack on your system. So definitely dont disable that rule, that was a PHP CGI attack on your system, which ASL blocked.

[markb1439]

I know this is an old thread, but I wanted to add something that might be helpful.

Even with mod_cloudflare installed, CloudFlare says that their IPs should be whitelisted. Yes, mod_cloudflare will pass the source IPs, but only after mod_cloudflare is invoked for this purpose. The firewall is in front of this, so the firewall should be presented with the CloudFlare IPs...not the source IPs. Therefore, a lot of CloudFlare traffic could trigger rate limits and such.

So, the best we can figure is to whitelist all zillion CloudFlare IPs...and, as Atomicorp pointed out earlier, in this case you should NOT activate the Whitelist ruleset.

I hope this helps!

[gaia]

I know this is an old thread, but I wanted to add something that might be helpful.

Even with mod_cloudflare installed, CloudFlare says that their IPs should be whitelisted. Yes, mod_cloudflare will pass the source IPs, but only after mod_cloudflare is invoked for this purpose. The firewall is in front of this, so the firewall should be presented with the CloudFlare IPs...not the source IPs. Therefore, a lot of CloudFlare traffic could trigger rate limits and such.

So, the best we can figure is to whitelist all zillion CloudFlare IPs...and, as Atomicorp pointed out earlier, in this case you should NOT activate the Whitelist ruleset.

I hope this helps!

Mike Shinn confirms this?

[mikeshinn]

If you're going to whitelist a CDN, yes do not enable the whitelist ruleset for the WAF

[copernic2006]

I go up this topic because I am facing the same problem: that ASL blocks IPs of the CDN (tested with cloudflare and maxcdn).
The indicated solution is to list the IPs in the whitelist. but is it safe to include several hundred IPs in the whtelist?
Does not have there a different way to do?