Sermepa blocked by cloudflare

So we've been under attack and migrated our domain to Cloudflare and now our application is not being notified by sermepa redsys when a user does a payment. (Sermepa is the spanish way of charging credit cards, like but spanish...)

Checking our code our app is telling Sermepa to connect to our callback url at:

Let's check on our old logs how was that connection when it was working.

# zgrep 'sermepa/post' /var/log/nginx/access.log.*.gz
/var/log/nginx/access.log.10.gz:"" [20/Mar/2019:16:17:49 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1077 349 "-" "Java/1.7.0" 0.990 "-"
/var/log/nginx/access.log.11.gz:"" [10/Mar/2019:21:44:46 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1077 349 "-" "Java/1.7.0" 1.834 "-"
/var/log/nginx/access.log.11.gz:"" [13/Mar/2019:20:36:30 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1077 349 "-" "Java/1.7.0" 1.805 "-"
/var/log/nginx/access.log.12.gz:"" [07/Mar/2019:23:08:50 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1076 349 "-" "Java/1.7.0" 1.696 "-"
/var/log/nginx/access.log.13.gz:"" [25/Feb/2019:15:20:00 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1022 349 "-" "Java/1.7.0" 1.375 "-"
/var/log/nginx/access.log.13.gz:"" [25/Feb/2019:17:05:03 +0000] "POST /sermepa/post HTTP/1.1" 200 5 1025 349 "-" "Java/1.7.0" 0.943 "-"

Here we see a couple of things, Sermepa was always connecting from or and it was using a Java/1.7.0" 0.943 as user agent. I'm sure that that user agent is triggering Cloudsflare's Browser Integrity Check.

Some possible solutions:

  1. Disable Browser Integrity Check but that will be useful if we're under attack again.
  2. Change the callback url to a new subdomain not filtered by Cloudflare; we will need to reconfigure our webserver, domain and app.
  3. In 3 years of logs Sermepa always connected from those 2 ips why not whitelist them in Cloudflare?
  4. Contacting Sermepa and tell them to use another user agent. (just joking)

Lets further investigate those ip's with Whois.

# whois ''
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See

% Information related to ' -'

inetnum: -
descr:          Internet Public Addresses
descr:          __
country:        es

Redsys owns the whole class C and that doesn't look to be changing anytime soon. I'm sold with option 3. Lets whitelist them in Cloudflare. Connect to the cloudflare panel and go to Firewall -> Tools and add an ip access rule WITELIST Sermepa

We're done and receiving payments again!

© 2019 Joan Pérez i Cauhé. All rights reserved.