Blocked by Cloudflare when using proxy tracking with Azure App Services

So I'm trying to set up proxy tracking in an Azure App Services. I believe I have the right rule set up:










I enabled ARR in Azure. (see https://edi.wang/post/2020/11/2/how-to-enable-application-request-routing-on-azure-app-service or https://tomssl.com/create-your-own-free-reverse-proxy-with-azure-web-apps/)

The proxy seems to work but I get this Cloudflare error:

Sorry, you have been blocked
You are unable to access getclicky.com
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?
You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Cloudflare Ray ID: 84e4f8d06f2d4755



Any suggestions?

Thanks!

Whoops, my redirect rule disappeared because of the XML tags. Let's try this:

<rule name="HTTPS - Kangaroo JS Proxy" stopProcessing="true">
<match url="^kangaroo\.js$" />
<action type="Rewrite" url="https://static.getclicky.com/js?in=/kangaroo" />
</rule>
<rule name="HTTPS - Kangaroo Proxy" stopProcessing="true">
<match url="^kangaroo$" />
<action type="Rewrite" url="https://in.getclicky.com/in.php" />
</rule>

PS -- I played around with some settings in the App Service/IIS applicationHost.xdt file where you have to enable ARR.

Using preserveHostHeader=false and reverseRewriteHostInResponseHeaders=false, I get the error I described above. If I set both to true I get a 403 Forbidden error.

Here's a full example of the applicationHost.xdt file:



<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true"
preserveHostHeader="true"
reverseRewriteHostInResponseHeaders="true"
/>
</system.webServer>
</configuration>

Hi, I searched for that ray ID in our CF event log but found no results.

I'm not familiar with Azure but the correct "host" header definitely needs to be sent with a request. preserveHostHeader should *probably* be false, because otherwise I would expect it to forward along your hostname, not ours, with the request. I'm not sure what reverseRewriteHostInResponseHeaders does though.

I would try to get a simple reverse proxy working with an external (non-Azure) site that's NOT behind Cloudflare, just to make sure that the configuration is all correct. Then we can try to figure why it's breaking when it goes through CF, once we know everything else is good.

Thanks for the reply!

This reverse proxy DOES work fine to a simple site that isn't behind Cloudflare.

Here's a Ray ID that I just got: 84eceac3d8f808c8

Okay good. And that ray does show up in our logs, and it's being blocked because there's an 'x-original-url' header being sent, which apparently some badly designed php apps use to redirect to a new url which can be exploited somehow. I'm disabling this rule now as it doesn't apply to us, so let me know if it starts working now.

Here are a few relevant articles I found:

https://www.acunetix.com/vulnerabilities/web/url-rewrite-vulnerability/

https://security.stackexchange.com/questions/229928/x-original-url-and-x-rewrite-url-related-vulnerabilities

That did the trick -- it works now! Thank you so much for this great feature and your assistance!

Great! Thanks for confirming.