My company recently experienced an issue where all of the scheduled tasks in CFADMIN were failing. The first step I took to troubleshoot the issue was to check the scheduler.log
log file. Each task had 2 lines in the log file. The first line indicated that the task had been triggered. The second line indicated an error of 403 Forbidden
.
"Information","DefaultQuartzScheduler_Worker-3","11/08/24","07:00:00","","Task DEFAULT.NIGHTLY CLEANUP JOB triggered."
"Error","DefaultQuartzScheduler_Worker-3","11/08/24","07:00:00","","403 Forbidden"
Since no permissions had been changed on the server this was a perplexing error. The next step that I took was to execute one of the task URLs from a web browser on the sever. The task completed successfully. This led me to try to obtain more information about CFADMIN running the task so I enabled Save output to file
under the Publish
section of the Scheduled Task and specified a file to output the result.
Once this setting was in place I executed the task again from CFADMIN > Server Settings > Scheduled Tasks
and checked the log file. The log file contained the text error code: 1010
.
Researching error code: 1010
led me to several articles regarding Cloudfare blocking access to a site based on the browser signature
.
This narrowed the issue to either an issue with Cloudfare or the task not running correctly when executed by ColdFusion. I decided to try execute the URL from a ColdFusion cfhttp
call using the following basic script.
The task completed successfully when called from cfhttp
. Below is a dump of the result:
The issue therefore seemed to be narrowed to the fact that Cloudfare was rejecting calls to URLs from the CFADMIN (apparently based on an issue with the browser signature
). The browser signature
is examined at Cloudfare by a Browser Integrity Check (BIC) as a component of a WAF.
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
Read more about Cloudfare’s WAF.
You can create a custom WAF rule to turn off the Browser Integrity Check (BIC). First, use the Go to
navigation to search for WAF
and choose Security | WAF | Custom Rules
:
Next, click the Create rule
button to begin. Our solution will use the following settings to disable the BIC on requests only from our server IP to scripts residing in a certain directory:
- For the `Field` select `IP Source Address`, for `Operator` select `equals` and enter the IP address of your server as the `Value` (this will allow the rule to only apply to requests from your server).
- Click the `And` button to add another row.
- For the `Field` select `URI Path`, for `Operator` select `wildcard` and and enter the directory of your scheduled tasks as the `Value` (this will allow a single rule to apply to multiple task scripts in the directory). Notice the directory uses a wildcard at the end `/jobs/*`.
- For the `Choose action` select `skip`.
- Select `On` for `Log matching requests`.
- Under `WAF components to skip` check `Browser Integrity Check` (you may need to click the `More components to skip` link to locate it).
- Click the `Deploy` button to enable the rule immediately.
You can view the logging of the Firewall events. First, use the Go to
navigation to search for Events
and choose Security | Events
:
As you can see the previously blocked requests via CFADMIN are now allowed at Cloudfare via a Skip
action using Custom rules
.
Thanks for this, Chris. To be clear (and for readers interested to know more), it’s really about the useragent header being “cfschedule”, for urls requested as a cf scheduled task. Cloudflare doesn’t recognize that agent, thus blocking it. Curiously though, it DOES recognize the useragent for a request made via cfhttp, which is “coldfusion”, so that’s accepted.
There are other implications and alternatives arising from this. I’d shared them in an extended reply on a cf forum thread last year: https://community.adobe.com/t5/coldfusion-discussions/scheduled-task-issue-error-code-1010/m-p/13621525#M194483.
I never got around to creating a blog post, though I should have. 🙂 If I do, I’d want to point to yours here for the additional helpful perspective it offers.