Top 10 Customer FAQs
Presented by: Jamie Ede
Originally aired on February 14, 2021 @ 6:30 PM - 7:30 PM EST
Discover our customers' top questions and the answers to them.
English
Q&A
Transcript (Beta)
Hello and welcome to C-SUP TV. This is the top 10 FAQs for what Cloudflare support get from everyone who is a customer.
So please ask questions throughout. I will try to answer as many as possible through this and the email address is livestudio at Cloudflare.tv.
So I'm gonna try and go over like the top 10 requests we get from customers and how to solve them and like avoid them happening.
My name is Jamie Ede.
I am the technical trainer for the technical support team at Cloudflare. I was a technical support engineer for two plus years before changing the role to technical trainer.
I was based in London before I became a technical trainer. So yeah, I've seen all the tickets.
I've helped with all the issues. Well, there's new issues all the time.
So it's ever evolving products. So yeah, that's me. So this is a brief overview of what I'm going to cover in the next hour.
So we've got DNS incorrect name servers.
So when you join Cloudflare, you need to change your name servers.
Ray ID, why do we need it? As a technical support engineer, why do we ask for this information?
Why isn't my page rule working is the next one. So page rules, you should know what they are.
And I will go brief overview of what they are if you don't and explain like the top reasons why they may not appear to be working.
We've also got DNS and orange versus gray clouding. So I'm going to go over the pros and cons of both and when and where you should be using either the orange cloud or the gray cloud in your DNS settings.
The next one is mixed content issues.
So this is like an SSL style thing where you have mislinked resources on your webpage, which causes errors or your site not looking the way it should do.
And I'm going to get into that as well.
Minimum TLS version, which one? So you can select which TLS version you want the minimum to be allowed to your sites and I'm going to explain the pros and cons of choosing individual TLS versions.
And yeah, and next one is, is the site using Cloudflare?
I'm going to go over a couple of methods just to see, is it working?
Like is Cloudflare working on my site? Just as a quick and easy guide on that.
So five XX errors, is it Cloudflare? So when you have five XX errors, we'll be able to, I'll be able to show you, is it a Cloudflare error or is it something you can fix on your origin itself?
How can I block an IP address?
So just something quite simple that Cloudflare has a lot of tools for now, including the new firewall rules, which is much more configurable than the old style of blocking IP addresses.
I'm going to go into that and the uses for that.
And the last thing we're going to finish on is this error. So it's just ERR underscore too many redirects.
I'm going to go over what that exactly is. And remember, please ask questions throughout.
So the first one, DNS incorrect name servers.
So the usual way to activate a zone on Cloudflare is the full setup, which is where you will change your name servers on the domain at the registrar level.
So that means wherever you bought the domain initially, you need to log into there and change the name servers for that domain to like the allocated Cloudflare name servers that appear during the onboarding process in the Cloudflare dashboard.
We make it really easy when you add a domain to Cloudflare using the add site button at the top of the dashboard, where it will guide you through.
And then at the end of the process, it will show you which two name servers you need to log into your registrar and edit out them to activate on Cloudflare and take advantage of our services.
So if you don't set them correctly, then your domain will not activate on Cloudflare, which will mean your website will usually stop functioning at all.
Yeah, so some of the top reasons, like ways we see this being done incorrectly would be that they're not spelled correctly.
So you should be able to use the dashboard and we make it really easy to copy and paste the name server itself to drop into your registrar.
But sometimes you're just missing an L on Cloudflare or you slightly misspell the first name of the name server.
So for example, if you've got Mark name server, you're spelling Mark with the wrong, with a C instead of a K, for example, these little things happen quite often.
You'd be quite surprised. So just double check that you've spelled them correctly.
So yeah, or the second way that this can be done incorrectly is not setting them at the actual registrar level.
You do them at the authoritative level.
So if you're not logged into your registrar where you purchased the domain and you're setting name servers as DNS records, then that will not work.
The name service needs setting at the registrar level. So then Cloudflare can become the authoritative DNS for your domain.
After that's done, you're active and then you can move on.
Once these name servers are changed, you'll have access to the whole suite, depending on your plan level and what you've purchased.
So on the right hand side of all of these slides will be a section for like the key points here.
So you can see the key points on the right hand side here.
Ensure the names are spelled correctly if they're incorrect. So I will not activate on Cloudflare and make sure you're setting them at the registrar level.
Okay. The next thing I just wanted to go over is RayID.
Why do we need it? So the RayID is a unique identifier for requests that go over Cloudflare.
It's a string that then equates to a data center location and timestamp of the request.
So with that information, the technical support engineers can dive through into Kibana and find exactly which data center you were hitting and where the issue was actually taking place, depending on the issue you were having.
So you can see the RayIDs when you send a request to a website that is on Cloudflare, that is orange clouded.
So the DNS records, when you proxy them through Cloudflare, you change that cloud icon on the DNS tab to orange.
And that means your requests for that DNS record will go over the Cloudflare network, meaning there will be a RayID associated with each request.
So, and you can view these details by sending requests to your domain, or you can use Chrome itself or any web browser looking developer tools to actually see the RayID itself.
So it's critical for technical support to investigate the issues, and it shows on every request on a Cloudflare orange DNS record.
Okay, why isn't my page rule working?
Page rules are very, very powerful tools here. So you allow you to change Cloudflare settings, on different parts of your website.
For example, redirecting all traffic from one subdomain to another, or setting cache SSL and performance settings granularly to set parts of the website based on URL, and you can use wildcards.
So these are powerful because they run on our edge, right?
They don't run on your web server. So the user of your website, when they go to your website and you have a page rule running, it doesn't need to go to your origin to run.
It runs on our edge and sends the reply back, or does the redirect on our edge.
So it's much faster in the majority of cases than using origin -based web server edits to do redirects or conditioning of things.
So one thing to note, for each request that you send to your website, only one page rule will execute.
So if you have multiple page rules on the page rule page, you will notice that only one of them will execute, and it will be the first one that matches.
So I'm just gonna open up the Cloudflare dashboard here, and just to show you.
So I've got cstuttv.com. If I open that out, we'll see this is the Cloudflare dashboard.
You should all be familiar with this, and we can see here next to workers and network, the page rules tab.
If I click that, we'll see there are no page rules here.
But if you can create up to 50, you could create page rules here, which would have redirects based on, let me show you.
So if we do a page rule for this, so cstuttv.com forward slash star, and we want it to, let's think, just a redirect.
Forwarding URL, and we can set to code permanent, and we want to send it to blog .cstuttv.com.
Let's save and deploy that. Ooh, you need to have the forwarding URL in the correct format.
Press save and deploy. So this is now deployed, right? That's how quick that is.
That is now up and running and working. If I went to cstuttv.com in my browser right now, we'd get redirected to blog.
So one thing to note here is this one has a wildcard.
So if I then tried to do a similar page rule like this, let's say I have a secondary shop site or something at cstuttv.com forward slash shop, for example.
And we just want people that go to this URL to get redirected to the actual shop subdomain.
So what we can do is do another 301 or 302 and do shop.cstuttv.com.
Save and deploy. Oh, I forgot the HTTPS again. Save and deploy on this.
And you will see we now have two page rules. If I move this one to the top, this one will run on any request that actually goes to shop.
So this is the one that would run and this one would never run, right?
So you have to make sure that the ordering of the more specific page rules are above the one something more broad with wildcards.
So if I put that above, that would give me the behavior of anyone that goes to forward slash shop will get redirected correctly and everyone else that doesn't hit shop will get redirected to the block.
I'm gonna delete these because we don't need them now.
But hopefully that's a good explanation of just one of the common things we see in support is the page rule is just not mismatching in that type of the matching part based on URL and wildcards.
Okay, back to this page.
So you can see my slide now. So another reason this happens is you create a page rule for a DNS record that is gray clouded.
Page rules only work on DNS records that are orange clouded and going over the Cloudflare network.
So you're not gonna have any of the, any Cloudflare product run on a gray clouded subdomain or DNS record.
So ensure that things you want to run over Cloudflare are orange clouded.
And then these types of services will work. So yeah, number two here is you can see your URL matching pattern is incorrect.
So just make sure your wildcards are in the correct place.
You know, the subdomains correct, et cetera, et cetera.
Number three here is it is working, but the settings changed, need a cache purge to take effect.
So if you create a page rule where you're changing cache behavior or minify behavior, if these assets are already in cache, then this page rule will only take effect effectively when the asset has expired from cache.
So you can either wait for the cache to expire or purge your cache. And then the new page rule, what you have created to change cache settings will take effect and work going forward.
So at number four is what I showed you in my screen share, where there is a page rule conflict and matching page rule ordered before has run.
Like I showed you before, the wildcard ran. So only one page will run per request.
So the subsequent one, which you wanted to work for forward slash shop would not have executed.
So key points, they only run in Orange Cloud DNS records, triple check your URL matching patterns, purge the cache.
If you're touching any caching performance related settings, if in doubt, purge the cache and check to see if there is a page rule priority mismatch to make sure the priority you are setting to your page rules will effectively work in the way I showed you just then.
Next up, DNS Orange versus Gray Clouding. So TLDR, Orange Clouded DNS records are running over the CloudFlow network.
Gray Clouded DNS records are not running over the CloudFlow network.
So there are reasons to keep DNS records gray.
They would be if you have services such as email or FTP, non-HTTP based services, which you need to work, right?
You need to keep those gray. But Orange Clouded ones, the traffic runs over the CloudFlow network, your origin IP is masked by our edge network because you're effectively proxying your traffic through us.
And you have all CloudFlow features available on an Orange Clouded DNS record based on what plan you're on.
And use on DNS records that have web appliances, websites on them, right?
So don't use it on the services which are the opposite end of the scale, like email servers, FTP endpoints, et cetera.
So with a Gray Clouded DNS record, you are open to your origin IP being exposed because we're not proxying the traffic.
The DNS record you have created that is Gray Clouded exposes your origin to attacks, to people knowing your origin IP and then been able to target attacks just directly to your IPs, et cetera.
There's a multitude of reasons that you don't want everybody knowing your origin IP.
And there are no performance gains, no security gains.
So you're not using our network to enhance the performance and security of your websites.
So the main points to take away would be Gray Cloud equals no protection.
Orange Cloud equals you have CloudFlow protection and optimizations and services such as email servers need to have Gray Clouded DNS records because we do have customers where they've orange clouded their email server and then email ceases to work, right?
The emails are undeliverable because it's not proxiable.
Okay, so this mixed content issues something we see very often in, usually with new customers onboarded to Cloudflare and they want the SSL, they want the protection but their origin isn't set up in the ways where the resources aren't fully SSL capable, I think is the best way of putting it.
So one of the questions we get often is why don't I have a padlock on my site even though it's over HTTPS?
And I'll explain what that means in a moment by sharing my screen in a second.
So, but this would be due to resources being loaded on a webpage being linked as HTTP and then the resource instead of HTTPS or forward slash, forward slash and the resource.
So when links are hard linked as HTTP in a website's code, the resource will fail to load or load but give you a warning in Chrome depending on the security headers that the website has enabled.
So I'm going to share my screen on my website here.
So you should now be able to see csuptv.com. It says not secure at the moment, right?
If we click in the URL bar and I press left, we can see it says HTTPS.
So we are in fact going over HTTPS but it's still showing as insecure. Okay, so why would that be?
So we can see not secure there with new information. Your connection to this site is not fully secure.
So if we go to the inspect tools or like the developer tools, right click, inspect, then go to console.
We can see here, we're getting a warning, mixed content.
The page at csuptv.com was loaded over HTTPS but requested an insecure image, which is HTTP csuptv.com forward slash png forward slash cf dash logo png.
So as we can see here, it's over HTTP, right?
So it shows us not secure, which customers are writing about and say, I've enabled SSL but my site is still not secure, why?
And we help them and help them understand that the resources on your site need to have the correct linking for Chrome to deem it a secure website, right?
So we can fix that and I'm gonna do that right now.
So you can now see my terminal screen. I'm going to go into the web root directory for this website itself.
And I'm going to just edit the basic HTML page you just saw in Chrome.
See it said welcome and the image was linked. As you can see here in the source code, it's HTTP.
If I say this isn't add the S to the end and then exit and save it.
And then we go back to Chrome. We're going to be able to see different behavior.
So now we're back on this screen. You can see it's still the same because I need to refresh.
But once I refresh, we now have the padlock. So this is key to fixing mixed content issues.
Your website may have loads and loads of resources where these are HTTP linked.
And it may take you some time to either manually edit all of these or use some type of plugin if you're using a content management system to automate this process.
But you can and you should be able to fix this yourself by looking in the console and seeing that mixed content error showing you which resources are being loaded over HTTP.
And then you should be able to edit it and away you go.
So right now we can see this is fully secure.
Like this site has no resources that are being linked incorrectly. So if I go to view frame source, we can see now it's showing as HTTPS.
So I'm going to go back to the slides for one second.
So yeah, that was mixed content issues.
That is one of our top FAQs that we get. And we can always help you identify which resources they are, but we can't actually fix them fully.
There are ways you can do this too.
We do have a plugin. We do have a service on Cloudflare, which I will show you now, which could automatically rewrite any HTTP links to HTTPS.
And if I go back to my terminal now, and I'm going to re-edit that index file, put that back to HTTP and save it.
Go back to my web browser and then refresh.
We can see this is not secure still. So we're back to where we were before.
So now if I go back to the Cloudflare dashboard, here we are back at the Cloudflare dashboard where we were earlier on the page rule section.
And if I go to the SSL TLS tab, go to edge certificates, scroll down, and you'll find this area here where it says automatic HTTPS rewrites.
Automatic HTTPS rewrites helps fix mixed content by changing HTTP to HTTPS for all resources or links on your website that can be served with HTTPS.
So if I enable this button now, this setting was changed a few seconds ago, right?
Go back here. Go back here.
So you can see this is still not secure. And if I refresh, so we haven't changed the origin web server we haven't edited the index HTML file.
If I refresh, it should usually fix this issue.
So there you go. I had to right click clear cache and force reload and then it works.
This is just the browser cache. So once this is reloaded and done, we can now see the source code.
If I refresh this, it shows this HTTPS, right?
So if I go back to my terminal, we're going to see that it is actually still HTTP.
So let's say that's what's great about that one button you can press can usually fix mixed content issues without you having to log into your origin, use plugins or do anything like that.
But it isn't foolproof.
So there will always be times where this does most of the links, but there may be some leftover which the service does not hit.
So when that happens, you're going to have to manually fix those ones that are not caught by the plugin.
Cool. So I'm going to go back to the slides.
So we go.
I hope that was helpful for people that have had this issue in the past and just wasn't sure of like quick fixes like using the automatic HTTPS rewrite button and exactly what it means and why it says not secure when you're actually going over HTTPS.
So that was an overview for you there. Okay, my next thing I want to talk about is is a site using Cloudflare?
So what I mean by that is we have questions from customers saying is my site working over Cloudflare, right?
So working is a broad term. So is it on Cloudflare?
Probably. What do you mean by working could mean a lot of other things. So sometimes we ask for more information in that regard.
So are you seeing performance or is it security related things like define working so we can work with you to enhance your experience and et cetera.
But when we say is a site using Cloudflare, we just mean, is it on the Cloudflare network?
So if your name servers are on the Cloudflare name server, if your name servers for your domain are set at the registrar to the Cloudflare name servers that were for your domain and you have created a DNS record that is orange clouded that points to your web server, then yes, you are more than likely going over Cloudflare.
But you can check. So one of the easiest ways to check would be a Chrome extension called Clare.
It's an extension that anyone can install and it will show you an orange cloud at the top if a site is using Cloudflare.
And that's just when you're developing your website or your web entity and you're moving onto Cloudflare.
Having that installed, it's just great just to see when it becomes active based on your browser cache, your DNS cache locally.
Because yeah, it's just great to see in firsthand just by glancing up an orange cloud.
So another way to check is check the headers for server Cloudflare.
So you can do that several ways. So one of the easiest ways would be you can use, just share my pure terminal that's not logged into a server.
There we go.
So this is just a normal terminal window. So if you do like a curl request to a domain that is on Cloudflare, you can see here, we can automatically see server Cloudflare.
This site is on Cloudflare.
So that's one of the really easy ways to check is by sending a request to Cloudflare and seeing which headers out these headers.
These are the headers that have come back are Cloudflare related headers.
So we've got the Ray ID I spoke about earlier and it's unique.
So we've got the Ray ID here and we've got the Cloudflare server here.
And we've also got the CFUD ID cookie here. So that's one of the really easy ways to check.
So if I remember the last three digits of this Ray ID, it's two AA.
If I send another curl request to csuptv.com, we can now see the Ray ID ends in two EC.
So that's me showing you that each Ray ID is unique. So in this aspect, we have found, we've done two requests, we've got two unique Ray IDs, which can be used for nothing in this case, because this is not an error, everything's fine.
If there were errors and you were writing into support for help, including this Ray ID, or even just the whole curl output, or your aha file, which I'll show you in a second what that is, we can help you a ton here.
Let me go back to my slides.
I slightly digressed back to Ray IDs, but it was relevant due to what we covered earlier.
So yep, check for the headers server Cloudflare. And check IP address against our list of IPs.
So yeah, when I went to the, when I did a curl, we hit this IP address, right?
Over the IPv6. And if we then, if we then went to Cloudflare.com forward slash IPs, we'll be able to see the list of the IP ranges in the IPv6 band, and it's gonna be in there, right?
We can see it matches this.
So that's another way you can see if a website is using Cloudflare. So yeah, as you can see, yeah, this is masking my origin IP address here.
So it's a great security mechanism for it.
So all the traffic that goes to csuptv.com goes through the Cloudflare network and any security settings I'm using before it has a chance to get to my, before it has a chance to get to my origin web server.
Okay, so orange cloud equals going over the Cloudflare network, gray cloud equals not going over the Cloudflare network.
So the, yeah. Okay, so a 5XX error, is it Cloudflare?
We have many customers that write in support regarding 5XX errors like 503, 502s, 521s, 522s, et cetera, et cetera.
So the majority of the time, the issue is origin -based.
So if there is like an issue at the Cloudflare edge, most of the time there will be a status page update or we'll have a proper incident ongoing in that regard.
But most of these issues, when you come across them, we have KB articles on our knowledge base at support .Cloudflare.com that outline.
If you see this kind of error, it is a Cloudflare issue.
If you see this type, it is something to do with your origin, whether it be firewall, web server down, et cetera, et cetera.
So things to check, is your origin web server up and running?
If you're not the person that would know the answer to that question, ask your web hosting provider or your server administrator to just do a quick check on the service to make sure your web server is indeed still up.
Because based on what error code you get back and what the article says, then it's probably an origin web server issue based on like a five to one where your web server is down, et cetera.
Make sure your firewalls that you have, whether it be hardware-based or software.
So for example, the open source tool, Fail2Ban, if you use that and you haven't configured it correctly and it classes some requests to your website itself coming from the Edge IPs, not being the actual clients and things, you can have mismatches in that way, which I've seen in the past, which causes Cloudflare IPs to be temporary banned based in the Fail2Ban ban lists for like three hours, et cetera.
So one of the things just to make sure that you've, well, one, whitelisted all Cloudflare IP ranges that are listed on Cloudflare.com forward slash IPs.
If these are whitelisted in the firewall software you're using slash hardware, then you shouldn't come across any of the issues which I'm showing here.
Okay, I'm gonna show you something really quickly.
One of the simplest five XX errors we do come across from customers. So if I share my, the CSUP TV web server terminal, just clear it for a minute, and let's just stop NGINX.
So I've just stopped NGINX, which is a web server. By the way, it's a web server that is very fast, very efficient, and yeah.
So I've just stopped my web server.
So we should expect an error now when we go to csuptv .com.
So if I then share my browser window, if we then try and reload this site, I'm gonna press the refresh button in a moment.
Let me just make this a little bit bigger for you guys. So if I then press the refresh button now, error 521, web server is down, right?
It tells you in the error message exactly what the Cloudflare edge is seeing.
We're seeing that your web server is down, right?
And as you can see below, we've got the U, your browser is working with a big tick box.
So there's nothing wrong with your browser.
The second one, we have a tick, like the San Jose Cloudflare, working. So it's showing there is no issues on Cloudflare.
Now on the final step, we have the big red X with csuptv.com host error.
So this shows you at a really quick glance that your web server on your backend is having issues, okay?
So it can be, usually it's not as simple as this, right?
There will be other factors involved with other type of 5xx errors.
But if you're seeing the X on the final step here, and not in the center here, the majority of the time, there's something wrong on your origin, on your origin web server.
And that's where you should diagnose internally. So if this was me and I was a customer, and I saw this error, this is what I would do.
I would, so I'm on my web server, I've terminaled into my web server.
And I'm just gonna run a call request to localhost, just to see what's going on.
Okay, so we're getting connection refused on port 80.
And I can't actually remember if I only set up 443, which is SSL, or did I do 80 as well?
So I'm actually gonna change this to HTTPS and see what happens.
Okay, so yeah, my web server is definitely down, because I'm connecting to myself, localhost, because I'm logged into the CSUP TV web server.
And I'm seeing connection refused in both sets. So that's when I would then check the actual, check the actual service.
And as we can see here, it shows as inactive dead.
Okay, so that 100% proves there is something wrong with my web server.
So we can just start the service. So if I write start on nginx, and then do another status, so I've done sudo systemctl status nginx, if I hit enter, we can now see it shows as active running.
So really, that should now show that our website here is working.
So now if I refresh, we're back up, right? So always overanalyze the error messages you see to make sure you followed the article in relation to the issue being seen.
Because if we go to support.Cloudflare .com, and we just write 521 in here.
And we can see the top result here is troubleshooting Cloudflare 5xx errors.
We click this one, it opens up this article. And if we scroll down, let's find our error.
What were we having? We were having a 521, right?
So if I just click that, it will take me to that area. A 521 occurs when the origin web server refuses connections from Cloudflare.
So security solutions that your origin may block legitimate connections from certain IP addresses.
The two most common causes are offline origin web server application, which I showed you, or blocked Cloudflare requests.
So the thing I mentioned before, like a firewall or some security service blocking Cloudflare IPs on your origin itself.
So the resolution, contact your site administrator or your hosting provider.
And then they can go through, check, they can run the diagnostics like I did in my terminal, and they should be able to get you back up and running very quickly.
The other types of 5xx errors are similar, but we can have sessions in the future, maybe where I deep dive into some of these more complex issues, which can happen over the Cloudflare network, and what the solution could be, and what you could do to resolve it.
So yeah, this one was a slight in-depth look at a basic 521 error, but showing you just how and what you can do early on before you even need to contact support.
You should now know that the error page we show you should give you enough details to then check our support portal at support .Cloudflare.com to find the relevant documentation, to self-diagnose and resolve, saving you time, right?
So if you take anything away from this is everything I'm showing you, and if you have similar issues, you will, following these steps should get you resolution time quicker if you do contact support, and maybe even negate the need for a ticket in the first place.
If you follow directions in the support articles, and you are able to find the solution.
Okay, next one.
How can I block an IP address? So this is a very broad statement, and there can be many reasons to do that.
And the way I write that is because that question comes in many forms.
It can be in the form of, let's say, I want this area of my website to only be accessible from a certain number of IP addresses, or I would like to, or another type of question we have is, I have a forum where this, I keep getting this spam in my forum from this one IP, how do I block it?
So there's two ways of thinking about it. How do I lock down somewhere that's an admin tool, and how do I protect myself?
And IP firewall and firewall rules are two avenues which you can go with this.
So there are advantages and disadvantages.
Well, actually, there's no real disadvantages of firewall rules, because it's really configurable.
So that might be its disadvantage, right? You may, it may be over-complex for what you need, and just an IP firewall block is the quickest way, because there's no configuration other than adding the IP to the product, and that's it, it's blocked for your whole zone.
But with firewall rules, you can be more granular.
Let's say, this guy that's on your forum with this IP, you could just block him from the forum post submission form, for example, using firewall rules.
So instead of blocking from the whole website, this person can still view your website.
They just can't post, et cetera. So I'm gonna do a quick show of the Cloudflare dashboard again.
And you can see that now, we're back where we were before regards to automatic HTTPS rewrites.
So if I go to the Firewall tab here, we can see Firewall Events.
There's already been some events here, but if we go to Tools, IP Access Rules, this product has been around for a very long time.
It's very, very heavy, right?
So let's say we want to block, let's think of, can I add internal IP addresses here?
Just for demonstration purposes, yeah, let's block this internal IP from this website or all sites in account, lock it.
So if I run that and press Add, there you go, I've blocked everyone from this IP address from all websites on my account.
Or I can then, you can also choose just this website if you want to be more specific, but that's totally up to you.
And you can edit the note here, or you can just remove the rule again, just by pressing X.
So that's how easy IP Access Rules is to block a singular IP address, or even IP ranges or countries or ASNs themselves.
So it's very quick and easy, but it lacks configuration for, so a lot of people don't just want to blanket block an IP address, they want to be granular.
Like they want to just block this one person from submitting to their forum, but they still want to allow them to view it.
So yeah, let's now check out Firewall Rules.
Once I click here, we can see here, it says Firewall Rules, control incoming traffic to your zone by filtering.
So the keyword here is filtering.
It's not just like IP Access Rules where you add an IP and it's blocked.
We can filter based on location, IP address, user agent, URI, and more. So if you go to the create, let's just do a test one quickly.
Let's find IP, so if I press write IP, press enter on that, equals, let's do that same IP address.
And let's say URI, or we could do method, right?
So instead of blocking him from, blocking this IP from going to a certain webpage, we could just block them from sending post requests, which means they wouldn't be able to, if your form for your forum takes post requests, it would stop them from having to post anything on your forum with a nice block message, right?
So we deploy that. And now that's active. We can see that rule is now active and it will work.
That's how quick and easy it is to add a filter based protection.
That was a really, really simple filter, right? You can seriously go down into a regex hole here.
You can create a vast array of different parameters, which you want it to match or not match, et cetera, to create comprehensive security based on what you, yourself want to protect yourself against or lock down an admin area for, et cetera.
So that was very TLDR.
I could spend a good hour diving into how firewall rules works and diving into all that stuff, but I'm not going to because time.
Let's have a look at one last thing here.
The title of this one is error too many redirects, right?
This is a hugely common issue we see from customers and we call it a redirect loop because well, Chrome stops because there are too many redirects.
So it's just, it shows that it's redirect reader.
It's looping in essence. So it's usually related to discrepancies with SSL mode and what your origin web server is expecting or configured with, right?
So yeah, I'm now going to go over it live exactly how this works.
So if I go back to the dashboard and then I go to the SSL TLS tab, if I then change, at the moment, the SSL mode is full.
So it's encrypted from the browser to the Cloudflare edge and it's encrypted from the Cloudflare edge to the origin web server.
If I then change it to flexible, boom, the setting was changed a few seconds ago.
So now the connections to my whole website are encrypted from browser to the Cloudflare edge, but unencrypted from the Cloudflare edge to the origin web server, okay?
So you can already see that flexible is not a recommended setting to have enabled, right?
You should fix your origin to ensure it has and accepts HTTPS traffic as soon as you can, really.
It's common practice nowadays to have full HTTPS, right?
And there are many tutorials online for beginners, including using Let's Encrypt, using their certbot, C-E-R -T-B-O-T.
They've got a certbot that can automatically configure certificates for your web servers.
And it's just great. I highly recommend doing some research into Let's Encrypt and certbot in that way.
If you just wanna get up and running in full and protect yourself from being insecure between Cloudflare and your origin web server.
Okay, so now I've set this to flexible. Let's have a look at this tab.
And if I go to blog .csuptv.com, as we can see here, we're getting error underscore too many redirects, okay?
So if I now, this is the error, which was the title of the slide, right?
So I then go to my terminal for that server. Yes, it has WordPress installed, don't judge.
It's quite clear. And we do a curl. Actually, now this would be best to do on my own terminal on my computer.
So this terminal I've just reopened here, which you can see, which says jmead at desktop is the one that's running on my actual computer and I'm not in a server.
If I do a basic curl to blog .csuptv.com like this, we'll see we get a 301, which sends us to HTTPS.
That's cool. Okay, let's change that to HTTPS.
So HTTPS and then the blog. Let's hit enter on this one.
Get a 301 again, but to the same place, right? They match. So that doesn't make any sense, right?
And now if I use the flag dash capital L on this, this means it will follow all the redirects.
And as you can see right now, we're just in a loop and this will stop after 50 based on curl set maximum.
So I'm gonna end it now with control C.
So we can see consistently this was setting a 301 and going to blog.csuptv.com on every single request.
She's strange, right? But this is over the Cloudflare network, remember.
So we're only seeing the Cloudflare side here.
So if I then go to the web server itself, let's just have a little think here.
So let me request the website. Hold on, let me step back one minute. We've set the SSL mode to flexible, right?
So that means all traffic going to the origin web server will be going over HTTP.
Okay, so let's do a request to localhost over HTTP. Okay, let me just set the host header.
So I need to set the host header because it will be the same results.
I'm just covering my back because there's only one host on here.
So as you can see, it's 301 -ing back to this blog.csuptv.com. So if I change that to an S, we get, so okay, so the first one with the HTTP, we're getting the 301 back to HTTPS automatically at the origin, which means if we go back here, let's see if I can do this as a whiteboard.
We've got, I've got nine minutes.
So we have flexible. So we're set on flexible. I'm using my finger to write, so apologies for the quality, but hopefully you'll understand the concepts when I finish this.
So we're on flexible here, which means on the Cloudflare edge, so let's say CF, when we go out to the origin, so this is origin.
So the client is connected over HTTPS and then to the origin, we're going HTTP, right?
But the origin itself here is setting HTTP back to HTTPS and sending that back to Cloudflare, right?
And then Cloudflare will then do the same thing. It wants flexible, so it tries to go back to HTTP and it just goes round and round in circles, right?
That was just a really quick, really bad drawing, but hopefully it enforces what I was trying to show there.
So right now, my origin for this WordPress blog is set to only accept traffic over HTTPS.
That is why it's broken. So the fix here, the quickest fix is for the customer to, for me, to change my SSL mode back to full.
Boom, because my origin web server is expecting HTTPS traffic and we break the redirect loop, right?
We're not looping anymore. We're requesting exactly what the web server wants, okay?
So we can double check that by going to the blog here. If I refresh this, then loads a lovely brand new WordPress install.
Okay, so yeah, hopefully that makes sense to everybody and hopefully it was helpful for this kind of issue.
This is something you could also dive down in different avenues in terms of the redirect loops can be the other way where they need flexible because their origin only supports port 80, but it's the same concept.
If you enable full and your origin is expecting only 80 traffic, it will either plain not work.
It will plain not work or if you set it up in a way that it redirects port 443 traffic back to HTTP traffic, then you will get a redirect loop.
There's so many ways that Cloudflare customers can configure, right?
Because we have so many customers with so many different stacks and some could be based on Nginx or Apache or they could be just a plethora of multitude of low balancing everything.
And the way that we see customers break things would be, it's interesting.
And I've really enjoyed the experience of being a customer technical support engineer because we get to dive into these things and learn them inside out.
So having the opportunity to talk to you guys and just explain the most common things we see has been great.
And I think we'll have to do more soon so I can deep dive into other avenues and different things that we come across.
So one last thing I definitely want to finish on is giving support enough information.
So many of you may have written into support in the past and received the, we need more information response.
This is because the information you've given us maybe to the best that you know what you could give us at that time.
But for us to help you in the most efficient way and to get to the actual answer where we are confident we are helping you, we need to know the detailed replication steps or it could be ensure that the domain itself slash URL you're having issues on is in the ticket slash email itself.
And if it's applicable, try and send us the Ray IDs. We need them in some cases when we're troubleshooting network stuff or 5XX errors.
So, and the HAAR file, okay. This file is like, it's our bread and butter, as I'd say.
The HAAR file is something the technical support engineers at Cloudflare analyze daily, right?
So with HAAR files, we can see everything. And I'm gonna just quickly show you what a HAAR file is.
If you're not that familiar with them, okay. So if you open up InSpec on any website in Chrome or other browsers, so you can see here, it shows all the elements, console sources, network, et cetera.
If we go to the network tab here, we right click here, because when you're in DevTools, you have more of these menus.
And then you do empty cache and hard reload. This gets us a pure, fresh request of your website, which does not use any of your browser's internal caching systems, like Chrome's memory cache or disk cache, et cetera.
It fetches everything from the Cloudflare edge slash your origin.
So once I click this, we see everything load.
So this is all of the resources that loaded for my website, okay.
So as we can see here, I have added a custom header field here called cf-cache-status, right?
This shows you that's dynamic, which because it's my homepage, it's a document, it's not by default cacheable.
But all the other resources here are all cache hit, because they are font files or they are style sheets, et cetera.
So you can see these are being cached on the Cloudflare edge. Exactly, right?
So, but anyway, a HA file is this stuff being exported so you can send to support.
And I can see, here we go.
If you right click on here, and then you go to save all as HA with content, this creates a HA file.
And now that's on your browser, that's in your document folder, which you can then import or send to support by attaching it as an attachment, okay?
So if we go back here, that is just what I wanted to go on here.
Yeah, so just try and give support enough information for me to be able to help you efficiently, okay?
And we're always here, we always try and help the best we can.
And that was it. Thanks for watching. And do I have any questions in the wings?
So I have a question. Great show, Jamie. Can I set a firewall on a county by country basis?
So that, you can do country, yes.
Of course, you can set the country and base like that, but the GOIPs for specific regions and counties is something that is different.
And it's not something that we actually, you do by default and it's a different kind of rule that you need to create.
So yeah, if it's country, yes. If it's county, it depends on the country, I think is the correct answer there.
But it is in the GOIP stuff.
So we do have the data if you need to use that stuff, but it's more to do with firewall rules.
You'd have to create a firewall rule based on GOIP to actually be able to use that kind of stuff.
Thank you for watching.