Cloudflare Configuration for Mollie Webhooks - mollie/magento2 GitHub Wiki

The Problem

Cloudflare's security features β€” WAF Managed Rules, Bot Fight Mode, Super Bot Fight Mode, and custom firewall rules β€” can block incoming webhook requests from Mollie. When this happens, Mollie cannot notify your Magento 2 store about payment status changes, which means orders get stuck in a "pending" state and subscription renewals fail silently.

This guide walks you through configuring Cloudflare so that Mollie's webhook requests reach your store without interference.

Mollie Webhook Endpoints

The Mollie Magento 2 plugin exposes three webhook URLs. All three must be reachable by Mollie's servers:

Endpoint Purpose
/mollie/checkout/webhook Receives payment status updates for orders
/mollie/express/webhook Receives updates for express checkout payments
/mollie_subscriptions/api/webhook Receives subscription and recurring payment updates

Step 1: Identify Mollie's IP Addresses

Mollie publishes a list of outgoing IP addresses used for webhook calls. Retrieve the current list by running:

curl -i https://ip-ranges.mollie.com/ips.txt

The -i flag includes response headers, which contain a Last-Modified timestamp. Use this to verify you have the latest version.

Note: Mollie may update these IPs at any time. Revisit this step periodically, or automate the retrieval.

Step 2: Create a WAF Custom Rule (Skip Rule)

This is the most important step. You need a custom rule that tells Cloudflare to skip its security checks for requests hitting the Mollie webhook paths.

  1. Log in to the Cloudflare Dashboard.
  2. Select the domain your Magento store runs on.
  3. Go to Security β†’ WAF β†’ Custom rules.
  4. Click Create rule.
  5. Set the rule name to something identifiable, e.g. Allow Mollie Webhooks.
  6. Under When incoming requests match…, build the following expression (use the Expression Editor for easier input):
(http.request.uri.path eq "/mollie/checkout/webhook") or
(http.request.uri.path eq "/mollie/express/webhook") or
(http.request.uri.path contains "mollie_subscriptions/api/webhook")

Why contains for the subscriptions path? Magento may prepend a store code to the URL (e.g. /nl/mollie_subscriptions/api/webhook). Using contains covers those cases. If your store also uses store codes in other webhook paths, replace eq with contains for those as well.

  1. Optionally, further restrict the rule to Mollie's IP addresses by combining the path condition with an IP source condition:
(
  (http.request.uri.path eq "/mollie/checkout/webhook") or
  (http.request.uri.path eq "/mollie/express/webhook") or
  (http.request.uri.path contains "mollie_subscriptions/api/webhook")
)
and
(
  ip.src in {<MOLLIE_IP_1> <MOLLIE_IP_2> ...}
)

Replace <MOLLIE_IP_1> <MOLLIE_IP_2> ... with the IPs retrieved in Step 1, separated by spaces.

  1. Under Then take action, select Skip.

  2. Enable the following skip targets:

    • WAF Managed Rules β€” skip all managed rulesets
    • Rate limiting rules β€” prevent rate limits from throttling high-volume webhook bursts
    • All remaining custom rules β€” prevent other custom rules from interfering

  3. Click Deploy.

Plan limitations: The available skip targets depend on your Cloudflare plan. Free plans can skip WAF Managed Rules. Business and Enterprise plans unlock additional skip options.

Step 3: Disable Bot Fight Mode for Webhook Paths

Cloudflare's Bot Fight Mode and Super Bot Fight Mode operate independently from WAF rules. A WAF skip rule does not bypass Bot Fight Mode. If either is enabled, Mollie's webhook requests may still receive a challenge or get blocked.

Option A β€” Disable Bot Fight Mode globally (simplest)

  1. Go to Security β†’ Bots.
  2. Toggle Bot Fight Mode off.

This is the simplest approach but removes bot protection for your entire domain.

Option B β€” Use a Bot Management skip rule (Business or Enterprise plan)

If you're on a Business or Enterprise plan with Bot Management enabled:

  1. Go to Security β†’ WAF β†’ Custom rules.
  2. Create a new rule with the same path expression from Step 2.
  3. Under Then take action, select Skip and enable Bot Fight Mode (or Super Bot Fight Mode).
  4. Deploy the rule.

Option C β€” Use a Cloudflare Worker (advanced)

If you're on a Free or Pro plan and cannot disable Bot Fight Mode globally, deploy a Cloudflare Worker that intercepts requests to the webhook paths and forwards them directly to your origin, bypassing the bot detection layer. This is a more involved setup and is outside the scope of this guide.

Step 4: Check for IP Access Rules

Verify that no existing IP Access Rules or firewall rules are blocking Mollie's IP addresses.

  1. Go to Security β†’ WAF β†’ Tools.
  2. Review the IP Access Rules list.
  3. Make sure none of Mollie's IPs (from Step 1) are listed with a Block or Challenge action.
  4. If you run a restrictive setup that blocks all IPs by default, add Mollie's IPs with an Allow action.

Step 5: Check for Page Rules or Configuration Rules

Cloudflare Page Rules and Configuration Rules can override security settings on specific URL patterns. Make sure no existing rule raises the security level for paths matching /mollie/* or /mollie_subscriptions/*.

  1. Go to Rules β†’ Page Rules and review entries.
  2. Go to Rules β†’ Configuration Rules and review entries.
  3. Remove or adjust any rule that sets Security Level to "I'm Under Attack" or "High" for the webhook paths.

Verifying the Configuration

After completing the steps above, verify that webhooks are working:

  1. In the Magento Admin, go to Stores β†’ Configuration β†’ Sales.
  2. Run a test payment in your storefront.
  3. Check that the order status updates correctly from "Pending Payment" to "Processing" (or the expected status for the payment method used).
  4. If orders still get stuck, check the Cloudflare Security β†’ Events log for blocked or challenged requests matching the webhook paths. This log shows which rule or feature triggered the block.

Troubleshooting

Orders still stuck on "Pending Payment" after configuration Check Security β†’ Events in Cloudflare. Filter on the webhook URI paths. If you see blocked events, note which Cloudflare feature triggered them and add an appropriate skip rule.

Webhooks work intermittently This usually indicates a rate-limiting rule is interfering. Make sure you included rate limiting in the skip targets of your WAF custom rule (Step 2, item 9).

403 Forbidden in Mollie dashboard logs A 403 almost always points to Bot Fight Mode or a WAF Managed Rule. Confirm that both are bypassed for the webhook paths.

Mollie IP addresses changed Re-run the curl command from Step 1 and update the IP list in your WAF custom rule expression if you chose the IP-restricted variant.

Still having issues or questions? Submit a support request via https://www.magmodules.eu/support and we’ll help you out.