mod security atomicorp rules blocking cloudflare

So I had a customer reach out to me tonight and let me know that they are getting a server offline message from CloudFlare when visiting their site. Immediately, I panicked fearing the web server may be down. Upon investigation I found that the web server was up and humming along happily.

I went to the site and found that I was able to access it. Strange. So, I had them test again – same result. As it turns out, the site was being blocked only for visitors in the Seattle Washington / Portland Oregon area.

I checked the usual suspects such as fail2ban and apache/nginx but found nothing there (but whitelisted the CloudFlare IP’s for good measure –¬† ). Scratching my head, I remembered that I have third party WAF rules for mod_security. It is typical to see a lot of blocked IP’s in the logs so I greped the sites apache error_log for the CloudFlare IP addresses and there it was.

Screen Shot 2016-04-08 at 10.23.01 PM

I excluded this particular signature ID (Not the whole rule) and that did the trick. Lesson learned.

Happy hacking!