Cloudflare Pro and htaccess setup causing errors/warnings for Rewrite URLs and REST API

[Clover13]

Figured I'd ask in this forum to see if any other site owners or developers have any insight into this issue I'm experiencing on one of my sites.

The setup:

• 1 server that hosts 3 IPS sites.  All sites running the same version of IPS (latest patched).
• 1 site uses Cloudflare Pro, 2 sites use Cloudflare Free
• CF Pro site gets a warning/error in the AdminCP indicating rewriting does not seem to be working, however the FURLs do work OK.
• CF Pro site does not work with the AdminCP API.  It loops to the same screen with Continue despite the .htaccess being in the proper /api directory.
• The other 2 sites using CF Free do not experience this issue.
• Disabling CF on the CF Pro site resolves the issues with the errors/warnings and the API screen works fine (without changing anything else).  This isolates the problem to something with CF Pro however I've been through every setting and compared to the other 2 CF Free sites and cannot identify anything that would be causing this.

Anyone have any ideas?

[Ryan Ashbrook]

It's likely that Cloudflare is detecting that the IP the request is coming from is from a server / data center, and is blocking it as automated traffic.

When the Admin CP tests for these things, it makes an HTTP request to https://example.com/login/ for FURLs, and to https://example.com/api/core/hello for the API.

[Clover13]

7 minutes ago, Ryan Ashbrook said:

It's likely that Cloudflare is detecting that the IP the request is coming from is from a server / data center, and is blocking it as automated traffic.

When the Admin CP tests for these things, it makes an HTTP request to https://example.com/login/ for FURLs, and to https://example.com/api/core/hello for the API.

But only the CF Pro account and domain would do this, not the 2 other CF Free accounts and domains?

[Ryan Ashbrook]

1 minute ago, Clover13 said:

But only the CF Pro account and domain would do this, not the 2 other CF Free accounts and domains?

Most likely - on their site, the Pro account advertises that they have blocking / challenging of automated traffic. In most cases, this is simply detecting that the request is coming from an IP from a data center and not an actual ISP (I should know, our corporate VPN gets hit by this all. the. time.).

[Clover13]

43 minutes ago, Ryan Ashbrook said:

Most likely - on their site, the Pro account advertises that they have blocking / challenging of automated traffic. In most cases, this is simply detecting that the request is coming from an IP from a data center and not an actual ISP (I should know, our corporate VPN gets hit by this all. the. time.).

What fix did you implement for the corp VPN? 🙂

[Randy Calvert]

You don’t for a VPN.  IPS would not  control the Cloudflare site they are visiting to adjust the settings. They would have to tell their customers to turn off cloudflare for their site while troubleshooting. 

For what can you do as the site owner?  Turn off all bot related protections. That will help you confirm it is a bot issue. Once confirmed, you could whitelist your server’s IP. If other third party servers are also accessing the IP, you might have to whitelist those IPs as well. 

Edited April 18 by Randy Calvert

[Clover13]

I got it, thanks @Ryan Ashbrook

Whitelisted the server IP at:  Security → WAF → Tools → IP Access Rules

[Marc Stridgen]

15 hours ago, Clover13 said:

What fix did you implement for the corp VPN? 🙂

What my colleague is saying, is we hit them. Not that we fixed it 🙂