Scanning if you use a Cloud WAF
This page is a guide for users who are using a cloud WAF (web application firewall) like Sucuri Cloudproxy or Cloudflare. If you are using a cloud WAF, Gravityscan should work just fine. In some cases you may have to whitelist the Gravityscan IP range or use a less ‘paranoid’ security setting.
Gravityscan has two ways of scanning. A ‘remote’ scan fetches your web pages like a crawler to determine if your site has a problem. This mode rarely encounters issues with a cloud WAF.
Gravityscan also has a ‘full’ scan mode which requires use of the Gravityscan Accelerator. The Accelerator is an agent that Gravityscan communicates with on your site. Sometimes cloud WAFs can interfere with that communication. We have tested Gravityscan with various cloud WAF providers and we provide specific instructions here for some providers.
Scanning when using Cloudflare
Gravityscan works fine when using the default Cloudflare security settings. The scan may have issues scanning your site if you are using Cloudflare and have the security level setting set to “Help I’m under Attack!”.
There are several ways you can fix this.
- Login to your Cloudflare dashboard
- Select the site you are attempting to scan.
- Select the “Firewall” option from the menu
- Navigate to your “Security Settings”
- Lower your security settings to “High” or lower.
Alernatively you can whitelist the IP range in your IP firewall settings. You can whitelist the following IP range:
Our IP range is actually 22.214.171.124/27 but Cloudflare only allows you to whitelist IP ranges that are /24 or /16 which is why we have used a /24 subnet above.
Scanning when using GoDaddy / Sucuri Cloudproxy
Cloudproxy is a cloud WAF formerly provided by Sucuri, now owned by GoDaddy. Gravityscan is fully compatible and works fine with most Cloudproxy settings. If you have your security settings set to “Paranoid”, you can still use Gravityscan, but you will need to whitelist the Gravityscan Accelerator URL.
Steps to whitelist the Accelerator file if GoDaddy / Sucuri security settings are set to “Paranoid”:
- Install the Gravityscan Accelerator using our instructions.
- Click the URL we provide in the popup to try to access the Accelerator URL. If you can access it then you are done. If Cloudproxy blocks it, then continue below.
- Log in to your dashboard at sucuri.net
- On your dashboard, select “Logs & Reports”
- Select “Realtime”
- Scroll until you find the entry for your “gravityscan-agent-*” file which will have a Red dot next to it because it’s blocked.
- Click on the entry to bring up the “Request Summary” screen.
- On the “Request Summary” Screen, next to “Resource Path: /gravityscan-agent-xxxx”, select the “Whitelist” option. (You can also whitelist the IP address as well but this may change).
- You should receive a confirmation that the file was whitelisted successfully.
- Return to your Gravityscan Manage site page and verify the Gravityscan accelerator file which should verify successfully.
Scanning when using Incapsula or SiteLock’s WAF
SiteLock’s web application firewall appear to be provided by Incapsula, which is why we have grouped them together. We have tested Gravityscan using both the remote and full scan with Incapsula/SiteLock WAF and have not found any problems at this time.