One of our customers at work uses AWS CloudFront in front of a TYPO3 v11 installation. Clearing the frontend and backend cache in the TYPO3 backend fails:
403 ERROR
The request could not be satisfied.
Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID: 2342xxx
The problem occured only in Firefox, but not Chromium.
Analyzing the problem
Clearing the caches from within the backend are HTTP POST requests to
https://example.org/typo3/record/commit?token=xxx&cacheCmd=pages
and
https://example.org/typo3/record/commit?token=xxx&cacheCmd=all
I copied the request as curl command and through trial-and-error narrowed it down to the following minimal example:
$ curl -i 'https://example.org/typo3/record/commit?token=xxx&cacheCmd=pages'\ -X POST\ -H 'Content-Type: multipart/form-data; boundary=2'\ --data-binary $'2--' HTTP/2 403
.. but it worked as soon as there was a letter in the form boundary:
$ curl -i 'https://example.org/typo3/record/commit?token=xxx&cacheCmd=pages'\ -X POST\ -H 'Content-Type: multipart/form-data; boundary=2a'\ --data-binary $'2a--' HTTP/2 302
CloudFront
The customer's administrators told me that a web application firewall (WAF) was activated, and that the rule AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY is the one blocking the request.
AWS support told me that since the requests with a numbers-only form boundary appear as --2342 on the wire, it looks like an SQL injection where the rest of the SQL was commented out with two dashes. This is something they want to block, and thus the WAF rule would stay as it is.
They will not fix their rule and advise us to build an own rule with higher priority that will give such requests a green light.
Chromium vs. Firefox
Cache clear requests with Chromium always worked because it uses multi-part form boundaries that have the "WebKitFormBoundary" prefix, e.g. ------WebKitFormBoundarynSAzt2srqKsb9dvj--. Firefox has no such prefix and will sometimes generate boundaries with numbers only - especially when there are no POST data, like here with the cache clear requests.