Summary:
Beginning approximately September 11, 2025, some Cloudflare sites return the message "Sorry, you have been blocked!"
Example:
Details:
Cloudflare has introduced a feature that allows a website operator to secure the ciphers being used when clients connect. Modern browsers like Chrome and Edge already follow strict rules about which ciphers they accept, but Netsweeper’s proxy (nsproxy) allows a much wider range of ciphers. When Cloudflare detects this mismatch, it can block the connection.
Since the default nsproxy configuration on EL8 with OpenSSL doesn’t align with these stricter requirements, some connections were failing. We now have a resolution for this issue.
Resolution:
To fix this issue the nsproxy needs to be patched and a change made to the nsproxy.conf file.
- Log in to each of the proxy servers as root and depending on the Netsweeper version, run the following:
Netsweeper 8.2 EL8
dnf upgrade https://repo.netsweeper.com/tickets/Ticket-NS1926-nsproxysslsignature/ns_proxy-8.2.10.110-1.el8.x86_64.rpm
Netsweeper 8.1 EL8
dnf upgrade https://repo.netsweeper.com/tickets/Ticket-NS1926-nsproxysslsignature/ns_proxy-8.1.11.132-1.el8.x86_64.rpm
Netsweeper 7.2 EL8
dnf upgrade https://repo.netsweeper.com/tickets/Ticket-NS1926-nsproxysslsignature/ns_proxy-7.2.16.104-1.el8.x86_64.rpm- After upgrading nsproxy, add the following configuration to /usr/local/netsweeper/etc/nsproxy.conf on each of the proxy servers.
ssl_signature_algorithms ecdsa_secp256r1_sha256:rsa_pss_rsae_sha256:rsa_pkcs1_sha256:ecdsa_secp384r1_sha384:rsa_pss_rsae_sha384:rsa_pkcs1_sha384:rsa_pss_rsae_sha512:rsa_pkcs1_sha512 - After updating the nsproxy.conf file, restart nsproxy on each of the proxy servers.
systemctl restart nsproxyctl
Please contact Netsweeper Support if you need assistance making these updates.