User-Agent block with cloudflare mixed in

wazer · August 25, 2022, 1:51pm

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

caddy run

a. System environment:

Windows 11

d. My complete Caddy config:

domain {
        header X-Real-IP {http.request.header.CF-Connecting-IP}
        header X-Forwarded-For {http.request.header.CF-Connecting-IP}
        header X-Forwarded-Host {http.request.hostport}
        encode gzip

        #SSL Settings
        tls mail@mail.com {
                dns cloudflare key
                resolvers 1.1.1.1
        }

        @blocked {
                #Only allow user-agents specified below and block everything else
                not header_regexp User-Agent (?i)(TestName1*|TestName2*|cdn*)
                remote_ip private_ranges
        }
        handle @blocked {
                abort
        }

        handle {
                @public {
                        #Allow lan ip's to skip basicAuth
                        not remote_ip private_ranges
                }
                basicauth @public {
                        USERNAME PASSWORD
                }
                handle_path /test {
                        root * C:\test.txt
                        file_server browse
                }
        }
}

3. The problem I’m having:

My last topic was about how to block any user agent in incoming request but allow specific named User-Agent to allow getting respond

I want to mix up cloudflare with this script that @francislavoie helped me with. again thanks

The new problem is where I will get 520 responds since its now effective blocking all User-Agent but the one stated in my caddy file.

It seems it also takes out the cloudflare own user agent internally because I’m being met by 520 respond now.

If I however add cdn* to the caddyfile which I think is what cloudflare it self uses, then it works in the way that it actually ignores everything and makes all the other User-Agent and the script be obsolete, like the script was never there…

Is the script wasted when you use cloudflare as tunnel for that or can it be altered to in a way to make it work like its supposed to do when cloudflare is not added into the mix.

Maybe its the wrong way to handle this, maybe blocking all User-Agent via the cloudflare own panel system is the right way to do it, if it’s even possible?

Whitestrake · August 25, 2022, 11:32pm

Cloudflare doesn’t have it’s own user agent when proxying requests.

I just made a request to one of my websites just now, with access logging enabled, and I see:

      "User-Agent": [
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0"
      ],

Indicating that the User-Agent was passed through unchanged from my browser as it passed through the Cloudflare edge.

That appears to be a denylist only system - no allowlist that I can see, unfortunately.

wazer · August 26, 2022, 12:27am

Can you then explain to me when cdn* is added I’m allowed to get through all of sudden?

or is my block case-sensitive not proper made?

I added to it after some reading, but I’m now unsure if its correct

(?i)

edit… Okay I should not stay up all night trying to figure it out…

The method I added does not work at all, the 520 error is in fact what I want when its effective working since it drops and return 0

I Changed from this

not header_regexp User-Agent (?i)(TestName1*|TestName2*|cdn*)

Back to this

not header_regexp User-Agent TestName1*|TestName2*

So how would I effective change this to make sure it can detect case-sensitive instead also?

Whitestrake · August 26, 2022, 1:09am

I think you might want (?i:TestName1*|TestName2*) ?

Based on: Syntax · google/re2 Wiki · GitHub

wazer · August 26, 2022, 1:18am

Simply amazing you guys always has a solution!

Thanks.

system · September 24, 2022, 1:51pm

This topic was automatically closed after 30 days. New replies are no longer allowed.