How to enable WAF bypass protection.

1. Setup Htaccess

  1. Grab the applicable .htaccess file for Sucuri/Cloudflare WAF for your Webserver. Please note: for Litespeed Enterprise it works with standard Apache .htacces directives so use Apache version.

    Sucuri: https://gitlab.com/mikeramsey/apache-htaccess-rules/tree/master/Sucuri
    Cloudflare: https://gitlab.com/mikeramsey/apache-htaccess-rules/tree/master/Cloudflare
  2. If you have not already done so I recommend backing up your current .htaccess before proceeding. This will allow you to revert the changes if needed due to an error.
  3. Place the content of the .htaccess file into the top of your current .htaccess file in the document root for the website.

2. Whitelist WAF IP’s in Server firewall and AntiDDos Settings.

  1. Get IPS to whitelist and ignore the Sucuri/Cloudflare IP’s in your firewall.
    You can get the Sucuri or Cloudflare current IP’s from the below links.

2. Whitelist IP in CSF Firewall this can be done in the main allow file and ignore file.
/etc/csf/csf.allow
/etc/csf/csf.ignore

  • You can also set up a custom allow file and include its path in the main one “/etc/csf/csf.allow” and the ignore file “/etc/csf/csf.ignore” files like the below.
    Include /etc/csf/cloudflare.allow
    or
    Include /etc/csf/sucuri.allow
  • To add this include for CF:
    echo 'Include /etc/csf/cloudflare.allow' >> /etc/csf/csf.allow
    echo 'Include /etc/csf/cloudflare.allow' >> /etc/csf/csf.ignore
  • To easily generate the /etc/csf/cloudflare.allow with the current IP’s the below commands will add both IPv4/IPV6 IPs.
    curl -s https://www.cloudflare.com/{ips-v4,ips-v6}|sort| tee /etc/csf/cloudflare.allow
  • To add this include for Sucuri:
    echo 'Include /etc/csf/sucuri.allow' >> /etc/csf/csf.allow
    echo 'Include /etc/csf/sucuri.allow' >> /etc/csf/csf.ignore
  • To easily grab the Sucuri IPs from the command line the below curl with regex will parse the unique IPv4/IPv6 cidr ranges to /etc/csf/sucuri.allow
    curl -s https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-the-waf-for-testing/ |grep -E -o "((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$)|(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|(s((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)"| grep -v '208.104.52.26' | tee /etc/csf/sucuri.allow
  • You can then restart CSF firewall completely like the below.
    csf -ra

To fetch these IP’s and update automatically you can something like this in a cron:

Cloudflare:
CSF_BIN=$(which csf); curl -s https://www.cloudflare.com/{ips-v4,ips-v6}|sort| tee /etc/csf/cloudflare.allow; $CSF_BIN -ra;
Cron script: https://gitlab.com/mikeramsey/apache-htaccess-rules/blob/master/Cloudflare/csf_cf_allow.sh

Sucuri: Cron Script
https://gitlab.com/mikeramsey/apache-htaccess-rules/blob/master/Sucuri/csf_sucuri_allow.sh

Special Notes for Openlitespeed/Litespeed users.

The setting for “Use Client IP in Header” in the OLS/LS Web Admin panel Server Configuration > General should be set to NO or unset. If this is enabled it will cause a 403 Forbidden for all requests as it will be using the client’s real IP vs the CF/Sucuri IP which is whitelisted.

Use Client IP in Header
Specifies whether to use the IP address listed in the “X-Forwarded-For” HTTP request header for all IP address-related features, including connection/bandwidth throttling, access control, and IP geolocation
.

This feature is useful if your web server is behind a load balancer or a proxy server. If you select “Trusted IP Only”, then X-Forwarded-For IP will be used only when the request is coming from trusted IPs defined in the server-level “Allowed List”.

“Keep Header from Trusted IP” is the same as “Trusted IP Only”, but the X-Forwarded-For header used for the backend will not be modified to include the connecting peer address.”

The Sucuri/Cloudflare WAF IPs should be set to trusted so they are not blocked/rate limited by the OLS/LS AntiDDos Settings.

Openlitespeed/Litespeed Web Admin Security Access Control Trusted IP’s and Access Control

References:
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:show-real-ip-behind-cloudflare
https://docs.sucuri.net/website-firewall/troubleshooting/same-ip-for-all-users/#litespeed
https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-the-waf-for-testing/

Sucuri IP’s
ALL, 192.88.134.0/23T, 185.93.228.0/22T, 66.248.200.0/22T, 208.109.0.0/22T, 2a02:fe80::/29T

Cloudflare IP’s
ALL, 173.245.48.0/20T, 103.21.244.0/22T, 103.22.200.0/22T, 103.31.4.0/22T, 141.101.64.0/18T, 108.162.192.0/18T, 190.93.240.0/20T, 188.114.96.0/20T, 197.234.240.0/22T, 198.41.128.0/17T, 162.158.0.0/15T, 104.16.0.0/12T, 172.64.0.0/13T, 131.0.72.0/22

Combined:
ALL, 173.245.48.0/20T, 103.21.244.0/22T, 103.22.200.0/22T, 103.31.4.0/22T, 141.101.64.0/18T, 108.162.192.0/18T, 190.93.240.0/20T, 188.114.96.0/20T, 197.234.240.0/22T, 198.41.128.0/17T, 162.158.0.0/15T, 104.16.0.0/12T, 172.64.0.0/13T, 131.0.72.0/22, 192.88.134.0/23T, 185.93.228.0/22T, 66.248.200.0/22T, 208.109.0.0/22T, 2a02:fe80::/29T

If you have all lots of sites on the same server and they all use Cloudflare/Sucuri you could set Global/Vhost level Acess Control to Allow only the trusted IP’s to access the server in OLS/LS Web Admin. This would allow you to set it up once for all sites on the server. Please note this may break any proxy subdomains that do not work behind the WAF for Control Panel’s unless custom rules are setup.

This would be done in the menu:
Server Configuration > Security >Access Control

Allowed List
173.245.48.0/20T, 103.21.244.0/22T, 103.22.200.0/22T, 103.31.4.0/22T, 141.101.64.0/18T, 108.162.192.0/18T, 190.93.240.0/20T, 188.114.96.0/20T, 197.234.240.0/22T, 198.41.128.0/17T, 162.158.0.0/15T, 104.16.0.0/12T, 172.64.0.0/13T, 131.0.72.0/22, 192.88.134.0/23T, 185.93.228.0/22T, 66.248.200.0/22T, 208.109.0.0/22T, 2a02:fe80::/29T

Denied List
ALL,

This will by default deny all hosts and only allow the Sucuri/Cloudflare WAF IPS in the “Allowed List”.

Once again if doing this please ensure you whitelist any VPN/Static IP’s also used for Management of the control panel and ensure that the option “Use Client IP in Header” is set to “no” so your not locked out.

3. Test bypass protection

Sucuri Has a nice guide about how to do this.
https://docs.sucuri.net/website-firewall/troubleshooting/bypassing-the-waf-for-testing/

1. Update hosts file.
Linux/MacOS
/etc/hosts
Windows
c:\windows\system32\drivers\etc

Format: domain.tld www.domain.tld
1.2.3.4 example.com www.example.com

When done testing comment it out.
# domain.tld www.domain.tld

2. Flush DNS after updating (Windows only).
ipconfig /flushdns

3. Visit Site directly bypassing the WAF If all is working you should see a 403 Forbidden or whatever custom error you setup for the bypass proxy protection rewrite.

I hope you found this guide helpful and informative. If your looking for quality hosting definitely check us out.

Attempting to Bypass WAF via hosts file
With Cloudflare enabled and going through Cloudflare

linuxSecurity

Leave a Reply