Blocked by Cloudflare when using proxy tracking with Azure App Services
So I'm trying to set up proxy tracking in an Azure App Services. I believe I have the right rule set up:
I enabled ARR in Azure. (see https://edi.wang/post/2020/11/2/how-to-enable-application-request-routing-on-azure-app-service or https://tomssl.com/create-your-own-free-reverse-proxy-with-azure-web-apps/)
The proxy seems to work but I get this Cloudflare error:
Sorry, you have been blocked
You are unable to access getclicky.com
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
What can I do to resolve this?
You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.
Cloudflare Ray ID: 84e4f8d06f2d4755
Any suggestions?
Thanks!
Posted Wed Jan 31 2024 1:22p by tspzettlem***
Whoops, my redirect rule disappeared because of the XML tags. Let's try this:
		<rule name="HTTPS - Kangaroo JS Proxy" stopProcessing="true">
			<match url="^kangaroo\.js$" />
			<action type="Rewrite" url="https://static.getclicky.com/js?in=/kangaroo" />
		</rule>
		<rule name="HTTPS - Kangaroo Proxy" stopProcessing="true">
			<match url="^kangaroo$" />
			<action type="Rewrite" url="https://in.getclicky.com/in.php" />
		</rule>
Posted Wed Jan 31 2024 1:23p by tspzettlem***
PS -- I played around with some settings in the App Service/IIS applicationHost.xdt file where you have to enable ARR.
Using preserveHostHeader=false and reverseRewriteHostInResponseHeaders=false, I get the error I described above. If I set both to true I get a 403 Forbidden error.
Here's a full example of the applicationHost.xdt file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true"
preserveHostHeader="true"
reverseRewriteHostInResponseHeaders="true"
/>
</system.webServer>
</configuration>
Posted Wed Jan 31 2024 1:52p by tspzettlem***
Hi, I searched for that ray ID in our CF event log but found no results.
I'm not familiar with Azure but the correct "host" header definitely needs to be sent with a request. preserveHostHeader should *probably* be false, because otherwise I would expect it to forward along your hostname, not ours, with the request. I'm not sure what reverseRewriteHostInResponseHeaders does though.
I would try to get a simple reverse proxy working with an external (non-Azure) site that's NOT behind Cloudflare, just to make sure that the configuration is all correct. Then we can try to figure why it's breaking when it goes through CF, once we know everything else is good.
Posted Thu Feb 1 2024 12:27a by Your Friendly Clicky Admin
Thanks for the reply!
This reverse proxy DOES work fine to a simple site that isn't behind Cloudflare.
Here's a Ray ID that I just got: 84eceac3d8f808c8
Posted Thu Feb 1 2024 12:30p by tspzettlem***
Okay good. And that ray does show up in our logs, and it's being blocked because there's an 'x-original-url' header being sent, which apparently some badly designed php apps use to redirect to a new url which can be exploited somehow. I'm disabling this rule now as it doesn't apply to us, so let me know if it starts working now.
Here are a few relevant articles I found:
https://www.acunetix.com/vulnerabilities/web/url-rewrite-vulnerability/
https://security.stackexchange.com/questions/229928/x-original-url-and-x-rewrite-url-related-vulnerabilities
Posted Thu Feb 1 2024 10:55p by Your Friendly Clicky Admin
That did the trick -- it works now! Thank you so much for this great feature and your assistance!
Posted Fri Feb 2 2024 9:55a by tspzettlem***
Great! Thanks for confirming.
Posted Fri Feb 2 2024 10:18a by Your Friendly Clicky Admin
You must be
logged in to your account to post!