Sucuri website firewall – cloudproxy – access denied

New Page

Sucuri Firewall Troubleshooting Guide

If you’re having trouble with our Website Application Firewall (WAF), don’t worry. It is optimized for all types of websites, including those on a CMS or built with custom code. Please continue with the steps below and if you are still having problems, please do not hesitate to contact us.

Step 1: Is WAF enabled?

It may sound strange, but we receive firewall support requests only to find that WAF is not enabled. This is easy to confirm without going to Sucuri’s control panel using a tool like ViewDNS. Make sure the IP addresses are in the 192.124.249.x range and be sure to check the website www. However, if you are not using Sucuri’s nameservers, be sure to verify that the IP address matches the IP address located on the Sucuri account under this firewall.

Step 2: Is your Sucuri SSL configured?

Your Sucuri SSL must be configured in one of two ways:

Via Sucuri/GoDaddy: This is an automated process. The system automatically generates an SSL for you. However, this process occurs after the DNS change, which causes a brief interruption in functionality on the website (usually around 15 minutes) because GoDaddy needs this time to generate and validate the certificate.

It is not possible to use GoDaddy SSL without experiencing downtime during initial setup via this method. This is because the SSL generation and verification is not immediate and cannot be completed until the DNS has been pointed to the Sucuri firewall without additional steps.

Propagation time can cause these results to fluctuate depending on server and DNS caching/propagation. After a few hours, SSL will automatically be fully functional on the domain.

Downloading a custom SSL is the only way to avoid this downtime window. This means that you will have to manually renew the SSL in the future, whereas we can take care of that for you without the risk of downtime if you use ours.

Via upload: This is the easiest approach if you already have an SSL certificate. Simply upload the SSL certificate to our system before the DNS change here. In this way, once the DNS change is activated, the browser will also see the certificate it has on the host server, thus avoiding all kinds of problems.

Step 3: Are you getting any errors?

Our WAF will rarely fail, but checking the error you see is usually quick and easy. Look below to find the errors you see, then try the steps suggested below.

404 errors This means that the whole site could be affected. Make sure the correct host IP/cname is configured as the source. If the 404 you see is branded Sucuri, make sure your DNS A records point to the correct Sucuri WAF IP.

Also check if a single page or single element is affected. If so, replace the missing resource or remove the reference to it from the site code. 404 errors can appear as broken pages caused by missing elements like CSS without any other errors. You can identify missing resources and their reference with a tool like WebPageTest (look under the waterfall tab).

302 Errors Redirect loops are usually identified by a browser error. Although the WAF is not the cause, it could be caching a host loop. Switching to site caching can help. If you have an HTTP-only site configured in your SSL tab , this might conflict with our 301 redirect, so try disabling it. If you’re redirecting your http address to https , it’s best to just use the HTTP site, if possible.

401 Errors These are messages from the host indicating that you must log in to view this resource. You usually see them when you access a page for which you would normally need to be logged in.

500 and 501 errors These are usually accompanied by an internal message from the server. They will always come from the hosting server and are usually related to misconfiguration. Checking the host error logs should provide a cause.

502 Errors These will be Sucuri branded and are usually caused by a firewall on the hosting server blocking WAF IP addresses. See our IP address ranges:

192.88.134.0/23 185.93.228.0/22 ​​66.248.200.0/22 ​​2a02:fe80::/29 208.109.0.0/22

These must be whitelisted by the host and are not subject to any rate limitation. If you still can’t find the cause, please open a support ticket to request error logs from Sucuri so you can check the host error logs to find the cause.

503 errors These are caused by resource problems, configuration errors or database errors. Check the host’s access and error logs to find a cause. Also note that this could also be due to an abnormal download, either legitimate (which the access logs would confirm) or due to a DDoS attack, in which case you should contact Sucuri immediately.

504 Errors Similar to the 502 errors above, these will be branded as Sucuri. And like 502 errors, these can be caused by a firewall on the hosting server blocking WAF IP addresses. Make sure our IP ranges are whitelisted, similar to 502 errors. However, most often 504s are caused by the host not responding to a request within 180 seconds. If you can’t find the cause, get the error logs from Sucuri and check them with the host error logs to find the cause. Find more helpful tips on troubleshooting response timeout errors here.

Step 4: Are you getting any blockages?

Blocked messages are flagged and display content. Find the block ID here. If you need help troubleshooting and resolving these issues, it’s important to provide our team with the full text content of the message (select all, copy and paste). It’s also helpful to know the background of the issues, such as the people involved, their IP addresses (which can be found here), and how to reproduce the issue. If there is no blocking message, a screenshot and the IP address can be provided instead.

Step 5: Are you having caching issues?

These issues are fairly tricky to identify. It’s when content looks like it should’ve updated, or it’s wrong for the device/browser you’re using to view it. For example, it could be you’re seeing public content when you’re really logged in to a private account. It’s best to bring these to Sucuri’s attention by creating a ticket and providing as much detail as possible, including the page where you see the issue. We can also cache some bad behavior from the website code on the host. These could include a 302 redirect loop or even a 404 error. The cache can be cleared using one of the methods described below.

5.1 Clearing the Sucuri Firewall Cache

There are a few ways you can clear the Sucuri Firewall cache:

Dashboard Cache Options To clear all page and file cache at once, go to Performance ,and from Clear Cache – Global, click Clear Cache.

Clear caching

To clear the cache for individual pages or files, go to Performance, and from Clear Cache – Per File, enter the file URL you wish to clear, and then click Clear Cache.

Clear cache by file

API Cache Options If you’d like a faster way to clear your site cache, you can also use the Website Firewall API. Log into the Website Firewall dashboard, go to API, and then click API Details. There you will see a Clear Cache (Website Firewall API v1) button. Click it, and you will clear the cache using the Website Firewall API.

You can bookmark the page so that any time you want to clear the cache you simply have to visit the bookmarked page.

Each site does have their own unique API key. If you require a large list of clear-cache APIs for your domain inventory, notify your account rep who can retrieve that list for you.

API caching options

5.2 About Caching Modes

We operate our own Global CDN so there is some level of caching being performed on your websites. Let’s review the current cache options available to you. You can see them all under Performance > Caching Level in Sucuri Firewall’s settings, also found here:

Sucuri caching levels

Here is what each option means:

Enabled (recommended) – Enabled (selected by default) will cache your pages and redirects for 180 minutes and 404 for 4 minutes. This is the best option when it comes to site performance, but the sessions may also get cached if you have login capabilities on the site. Cached sessions would be the reason Customer B logs into their account only to see the account information of Customer A, who logged in first.

Minimal caching (only for a few minutes) – Minimal will cache your pages for 8 minutes, redirects for 15 minutes, and 404 for 2 minutes. This is the best option when you need to make constant updates to your site, such as newspapers or blogs.

Site caching (using your site headers) – Site Caching won’t cache page content for logged-in users. It redirects for 3 hours and 404 for 4 minutes. This is the best option if you run a custom CMS, a forum like vBulletin, or an ecommerce store. Cache headers sent by your application/server will be respected, so if your application doesn’t send the “no-cache” headers it may cache your page content.

Disabled (use with caution) – Disabled won’t cache page content for logged-in users, redirects for 10 minutes, and 404 for 1 minute — but note that it can slow down your site. Cache headers sent by your application will be respected, so if your application doesn’t send the “no-cache” headers it may cache your pages content.

Important Note: Regardless of the caching level you chose, the Sucuri Firewall will continue to cache static files such as images, .swf, .css, .js, .pdf, .txt, .mp3, .mp4 and fonts. If your web servers instructs otherwise, like “Cache-Control: public, max-age=XXX” the Firewall will follow the instruction and cache for that XXX seconds.

Step 6: Is there just a blank screen?

Whitelisted IPs are not blocked by the IDS unless something very bad is being caused by the user on the host, such as too many 50x errors.

These IDS blocks last 20 minutes. If they return or persist, get your IP address here so we can confirm the cause and address the underlying issue.

There are two possibilities here:

  1. Our IDS (Intrusion Detection System) is blocking you. You or someone sharing your IP address have triggered the IDS with too many prohibited actions, such as multiple 30x, 40x or 50x in a short period of time, or 20 failed login attempts in a few minutes. Normally, the browser would’ve seen these previous errors and ignored them.

  2. Another cause of white screens are often known as the “white screen of death.” These are 500 internal server errors, and the host’s error logs can usually confirm the cause. These can be identified using developer tools such as Chrome Inspector.

Step 7: Are attackers able to bypass the WAF?

The best way to prevent hackers from bypassing our Firewall is by limiting their direct access to your origin server. To do this, add restrictions to your .htaccess file so that only our Firewall’s IP will be able to access your web server.

However, before you do this, make sure your DNS changes are fully propagated, as you may block valid visitors whose DNS has old information. Four hours is usually enough.

Check the correct server for your hosting setup and add the code for Apache in your .htaccess file. For Nginx, you will need to add it to your Nginx configuration file.

Apache Server 2.4

<FilesMatch “.*”> Requires ip 192.88.134.0/23 Requires ip 185.93.228.0/22 ​​Requires ip 2a02:fe80::/29 Requires ip 66.248.200.0/22 ​​​​​​</FilesMatch>

Apache Server 2.2

<FilesMatch “.*”> Order deny,allow Deny from all Allow from 192.88.134.0/23 Allow from 185.93.228.0/22 ​​Allow from 2a02:fe80::/29 Allow from from 66.248.200.0/22​​</FilesMatch>

NginxServerName

location / { allow 192.88.134.0/23; allow 185.93.228.0/22; allow 2a02:fe80::/29; allow 66.248.200.0/22; Deny all; # Existing NGINX rules }

7.1 Bypassing the WAF for testing with the Hosts file

First, you need to find and copy your hosting IP address by going to the WAF Dashboard Hosting IP Address page here.

Hosting IP address

The next steps depend on your operating system, but we cover them all here.

7.2 Handling 403 errors when bypassing

If you have implemented Firewall Bypass Prevention, you need to add your own IP to the FileMatch directive:

<FilesMatch “.*”> Order deny,allow Deny from all Allow from 192.88.134.0/23 Allow from 185.93.228.0/22 ​​Allow from 66.248.200.0/22 ​​Allow from 208.109.0.0/22 ​​Allow from 2a02:fe80::/29 Allow from INSERT YOUR IP HERE </FilesMatch>

If you are still having issues or have questions, please open a support ticket if you haven’t already. So come chat with our team at https://sucuri.net/live-chat/ and we’ll be happy to take a look.

Did you find this article useful?

Updated on December 16, 2019

Document navigation

Performance →

Access Denied – Sucuri Website Firewall Error: How Do We Solve?

by Ansu Anto | December 21, 2019

Vous essayez de résoudre l’erreur de site Web “Accès refusé par le pare-feu du site Web de Sucuri” ? Nous pouvons vous aider.

Le pare-feu Sucuri est un pare-feu d’application Web basé sur le cloud. Il bloque instantanément toute tentative de piratage ou d’attaque sur le site Web.

Chez Bobcares, nous recevons souvent des demandes de nos clients pour corriger cette erreur dans le cadre de nos services de gestion de serveur.

Aujourd’hui, voyons comment nos ingénieurs de support corrigent cette erreur.

 

Pourquoi l’erreur “Accès refusé – Pare-feu du site Web Sucuri” se produit-elle ?

Sucuri Firewall est l’un des meilleurs pare-feu d’application Web. En outre, cela fonctionne bien pour sécuriser les sites Web WordPress sur le serveur.

De plus, il protège le site Web des attaques externes en le gardant en sécurité.

Sin embargo, si el sitio web bloquea las direcciones IP de Sucuri sin saberlo, aparecerán errores de acceso denegado en el sitio web.

Por ejemplo, el mensaje de error aparece como se muestra a continuación.

Access Denied Sucuri WordPress Website Firewall

 

¿Cómo arreglamos el error de Sucuri fácilmente?

En Bobcares, donde tenemos más de una década de experiencia en la administración de servidores, vemos que muchos clientes enfrentan problemas con Sucuri.

Ahora, veamos cómo nuestros ingenieros de soporte corrigen este error.

Recientemente, uno de nuestros clientes se acercó a nosotros con el error ‘Acceso denegado – Firewall del sitio web de Sucuri ‘. Recibió este error al acceder a su sitio web.

After checking, we found that the user had a Sucuri firewall configured on his WordPress. And it was blocking his own IP address. Hence, it was showing an access denied error on the website.

Therefore, we whitelist the Sucuri IP addresses by adding them to the .htaccess file.

Here is the code we use in the .htaccess file.

<FilesMatch “.*”> Order deny,allow Deny from all Allow from 192.88.134.0/23 Allow from 185.93.228.0/22 ​​Allow from 66.248.200.0/22 ​​Allow from 208.109.0.0/22 ​​Allow from 2a02:fe80::/29 </FilesMatch>

 

Whitelist with IPtables

Additionally, we also whitelist IP addresses on the server based on the firewall used. If we use IPTables, we will whitelist the Sucuri IP addresses in the IPTables firewall.

For example, we help to whitelist the IP address range in IPTables as follows.

Initially, we connect to the server via SSH.

Thereafter, we allow incoming connections from 192.88.134.0/23

iptables -A INPUT -i eth1 -s 192.88.134.0/23 -j ACCEPT

Then allowed outgoing connections to 192.88.134.0/23

iptables -A EXIT -i eth1 -d 192.88.134.0/23 -j ACCEPT

Therefore, we whitelist the IP address range. Finally, the Sucuri bug has been fixed.

 

[Need help fixing Sucuri related errors? – We will help you]

 

conclusion

En bref, le site Web affiche le message “Accès refusé – Pare-feu du site Web de Sucuri” lorsque les adresses IP de Sucuri sont bloquées sur le serveur. Aujourd’hui, nous avons vu comment nos ingénieurs de support ont corrigé ce bogue en mettant sur liste blanche les adresses IP de Sucuri.

Articles Similaires:

  1. Boucle de redirection multisite WordPress – Nos astuces pour résoudre l’erreur
  2. Comment utiliser Fail2ban pour éviter les attaques de connexion WordPress
  3. Comment réparer l’erreur de méthode 405 non autorisée sur le site WordPress
  4. Erreur WordPress “Impossible d’enregistrer la clé de réinitialisation du mot de passe dans la base de données”

EMPÊCHEZ VOTRE SERVEUR DE CRASHER !

Ne perdez plus jamais de clients à cause d’une mauvaise vitesse de serveur ! Laissez-nous vous aider.

Our server experts will monitor and maintain your server 24/7 to keep it blazing fast and secure.

BEGIN

var google_conversion_label = “owonCMyG5nEQ0aD71QM”;

6 comments

  1. dymond C

    dymond C on 04/14/2021 at 11:42

    I work for 211 and I need to access their site, I had it before, I don’t know why I don’t now.

    Answer

    • Arya MA

      Arya MA on 2021-04-22 at 11:03

      Hello,

      Can you please confirm if your IPs are whitelisted on the server side? If you are still having problems, we will be happy to talk to you on the chat (click on the icon at the bottom right).

      Answer

  2. angelina matthew

    Angelina Mateo on 10/15/2021 at 7:50 p.m.

    I want to unblock webex can you help me please

    Answer

    • Maheen Aboobakkar

      Maheen Aboobakkar on 07/14/2022 at 12:56

      We will be happy to talk to you on the chat (click on the icon at the bottom right).

      Answer

  3. Deepak

    Deepak on 02/14/2022 at 10:12

    in order to activate my Elementor pro account its display error (forbidden). I don’t know why this issue is showing up for me

    Answer

    • Hiba Razak

      Hiba Razak on 07/13/2022 at 11:10

      Please contact our support team via live chat

      Answer

Submit a Comment Cancel reply

Your email address will not be published. Required fields are marked *

Comments *

Last name *

E-mail *

Send a comment

Δ


Video Sucuri website firewall – cloudproxy – access denied

Related Posts

Free chat room code for my website

Contents1 How to set up a free chat room on the website.2 3 comentarios2.1 Trackbacks/Pingbacks2.2 Submit a Comment Cancel reply3 How to Create a Chat Room Website…

Background image full screen css

Contents1 Cómo – Full Page Image1.1 Example1.2 Example2 CSS background image tamaño tutorial: how to codify a complete page background image3 Perfect Full Page Background Image3.1 Méthode CSS géniale,…

WordPress leverage browser caching

Contents1 Aproveche el almacenamiento in hidden del navegador1.1 Will it works for my website?1.2 Where are plugin options1.3 Some JavaScript files still display under Leverage Browser Caching1.4…

WordPress post to facebook page

Contents1 How to Automatically Post to Facebook from WordPress1.1 Download Now: How to Launch a WordPress Website [Free Guide + Checklist]1.2 1. Create an IFTTT account.1.3 2….

Download images from wordpress media library

Contents1 How to export your WordPress media library1.1 Download maintenant : How to launch a WordPress website [Free Guide + Checklist]1.2 How to export your WordPress media…

WordPress single post template

Contents1 How to Create Custom Unique Post Templates in WordPress2 Post Template Files2.1 author.php2.2 Fecha.php3 Handbook navigation4 How to Create Custom Single Post Templates in WordPress5 Video…