Cloudflare Blocking HackGATE Requests Due to Managed Firewall Rule

Overview

When your application is served through HackGATE, Cloudflare may block requests if a specific Cloudflare Managed Firewall Rule is triggered. This can cause the site to fail loading, appear broken, or return a 403/1020 “Access Denied” error.

One commonly triggered rule is:

“Drupal, Wordpress – Anomaly:Header:X-Original-Url, Anomaly:Header:X-Rewrite-Url – CVE:CVE-2018-14773”

This rule blocks requests containing certain headers — including X-Original-URL, which HackGATE uses intentionally to rewrite the original request path during proxying.

This article explains why the rule is triggered, how to disable it safely, and what to do if the fix does not work.

1. Why Cloudflare Blocks the Request

HackGATE rewrites and forwards traffic using headers such as:

X-Original-URL

X-Rewrite-URL

These are required for correct request routing inside the proxy.

However, Cloudflare includes a Managed Rule designed to protect Drupal and WordPress from CVE-2018-14773, which exploited these headers for path traversal attacks.

Because HackGATE legitimately uses these headers, Cloudflare may mistake this for an attack — and block the request.

2. How to Fix the Issue (Disable the Specific Cloudflare Rule)

Below is the original Hungarian description (translated to clear steps):

Step-by-step instructions

1. Go to Cloudflare Dashboard
2. Navigate to:

Security → WAF → Managed Firewall Rules

3. Locate the section Cloudflare Managed Ruleset
4. Click Cloudflare Specials
5. Scroll to rule group 301
6. Locate the rule with ID 100250

• Rule name:

Drupal, Wordpress - Anomaly:Header:X-Original-Url, Anomaly:Header:X-Rewrite-Url – CVE:CVE-2018-14773

7. Change Mode to:

Disable

8. Save changes

This rule is not essential unless you run a public Drupal or WordPress installation directly through Cloudflare. Disabling it for HackGATE-protected applications is safe and recommended.

3. What if the Rule Does Not Solve the Problem?

In some environments, other Cloudflare rules may also block the HackGATE URL. If disabling rule 100250 does not fix the issue, follow the steps below.

A. Check Cloudflare Security Logs

1. Go to:

Security → Events / Logs

2. Filter by:

• Hostname = hackgate domain
• Action = Block / Challenge / Managed Challenge

4. Look for:

• Firewall rule ID
• Threat signature
• Block reason (e.g., Bot Fight Mode, WAF rule, custom rule)

This will show exactly which rule blocked HackGATE traffic.

B. Common Other Cloudflare Features That May Trigger False Positives

• Bot Fight Mode
• Browser Integrity Check
• Super Bot Fight Mode
• Sensitive WAF rule sets (OWASP, Cloudflare Specials, PHP, CMS rules)
• Custom firewall filters created by the organization
• Rate limiting rules

If you see one of these blocking the request, you may need to:

• Disable that specific rule
• Change the action from Block → Log
• Create a bypass rule for the HackGATE domain
• Allow HackGATE IP ranges (if your configuration uses static IPs or Cloudflare’s zero-trust tunnels)

C. Create a Bypass Rule for HackGATE URLs (Optional)

1. Go to

Security → WAF → Custom Rules

2. Create a rule:

If (Hostname equals “<your-hackgate-subdomain.hackgate.net>”)

Then Skip → WAF Managed Rules

3. Save and deploy

This ensures that HackGATE traffic passes without being stopped by high-sensitivity CMS rules.

4. Contact Support

If you still experience blocks after disabling rule 100250 and reviewing the logs, please provide:

• Your HackGATE URL
• Timestamp of the blocked request
• Cloudflare event ID of the block
• Screenshot from Cloudflare Security Log

Hackrate Support will help identify the exact rule and recommend the safest bypass strategy.

‍