Automatic Whitelisting of Cloudflare IP’s

  • Resolved Ryder

    (@hyflex)


    5 years, 3 months ago

    Hi,

    Again a bunch of my sites have ran into issues with Cloudflare because they’re being rate limited/blocked by Wordfence because they’ve added new IP’s and as such the site would take 20+ seconds to load and there would be missing content because there would be some 522 errors in console.

    I requested this before but I never got a reply to my last reply and nothing was ever done to fix this for users.

    Cloudflare ran some tests and found:

    $ cache_ping_port 159.65.37.60 443
162.158.63.94   Connection to 159.65.37.60 443 port [tcp/https] succeeded!
162.158.63.95   nc: connect to 159.65.37.60 port 443 (tcp) timed out: Operation now in progress
162.158.63.96   Connection to 159.65.37.60 443 port [tcp/https] succeeded!
162.158.63.97   Connection to 159.65.37.60 443 port [tcp/https] succeeded!
162.158.63.98   Connection to 159.65.37.60 443 port [tcp/https] succeeded!
162.158.63.99   Connection to 159.65.37.60 443 port [tcp/https] succeeded!

$ cache_ping_port 159.65.37.60 80
162.158.63.94   Connection to 159.65.37.60 80 port [tcp/http] succeeded!
162.158.63.95   nc: connect to 159.65.37.60 port 80 (tcp) timed out: Operation now in progress
162.158.63.96   Connection to 159.65.37.60 80 port [tcp/http] succeeded!
162.158.63.97   Connection to 159.65.37.60 80 port [tcp/http] succeeded!
162.158.63.98   Connection to 159.65.37.60 80 port [tcp/http] succeeded!
162.158.63.99   Connection to 159.65.37.60 80 port [tcp/http] succeeded!

    Cloudflare themselves recommend users whitelist their servers if you use their services, it wouldn’t be too hard for Wordfence to detect if a website is using Cloudflare or not, either looking at the domains IP, nameservers or even looking for the Cloudflare plugin…

    Why on earth does Wordfence use a non-standard IP format when CIDR is by far the most common and also the standard when it comes to IP ranges. You should accept both formats as in code it’s not hard to convert CIDR into the non-standard IP format that Wordfence uses.

    Wordfence should either:

    1. Automatically whitelist Cloudflare IP ranges natively
    2. Add an option for Cloudflare as a whitelisted service.
    3. Add the ability to add links in the whitelists to both plain text pages and txt files for example to https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6 which results in Wordfence periodically retrieving and whitelisting the listed IP ranges.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @hyflex

    I believe that the option you are looking for is in the General Wordfence Options section on the All Options page.

    In the subsection How does Wordfence get IPs select the option Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare and hit the SAVE CHANGES button.

    Plugin Support wfphil

    (@wfphil)

    Hi @hyflex,

    Since I haven’t heard back from you I am assuming that the instructions solved your issue so I am marking this topic as resolved.

    If however, for whatever reason, you are still experiencing this issue and it is not resolved please respond to the post, which moves it back up the queue, and mark this topic as “not resolved”.

    Thank you.

    Thread Starter Ryder

    (@hyflex)

    Hi,

    That’s irrelevant to my issue, sorry for late reply.

    Plugin Support wfphil

    (@wfphil)

    Hi @hyflex

    In that case I don’t understand at all the problem that you are having.

    Wordfence Rate Limiting is carried out based on the number of requests being made per minute. Therefore if Wordfence is incorrectly detecting visiting client IP addresses as Cloudflare IP addresses then all visitors will be quickly rate limited. Hence my last reply which would fix this.

    Please note that a 522 response status code is a Cloudflare response status code and that is an issue with Cloudflare and not Wordfence. A 522 error occurs because CloudFlare could not make a TCP connection to your origin server before the attempts timed out. This means that CloudFlare was unable to send the HTTP request to the origin because a network connection to the origin server could not be established.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Automatic Whitelisting of Cloudflare IP’s’ is closed to new replies.