https://discord.cloudflare.com logo
Join Discord
Powered by
Disable bot protection for pages
# pages-help
p
Can I disable bot protection for pages? My specific case is that Amethyst (Android App) is not able to access https://nostr.pasukaru.me/.well-known/nostr.json via TOR (using orbot). Without TOR it works. Accessing the page with a browser (also via TOR), I got the CF challenge. How can I disable that? On the domain level Bot Fight Mode is disabled. I also tried a Page Rule to Disable Security, no luck. Is there anything else? Thanks in advance. Account Id: 
d46bcbfb96be0041b72c7b1fc72a076f
Pages.dev: https://6509bcfe.nip-5.pages.dev/ Deployment Id: 
6509bcfe-10f3-48a6-b6b4-1e92859922d0
z
Have you tried adding a rule that sets the security level to Essentially Off?
(I believe free accounts can use essentially off, otherwise set it to the lowest you can)
p
Just tried that, same issue. :/
c
Do you know for sure the issue is the app being challenged/getting a 403 response code, or is it just that it doesn't load? You should be able to see under Security -> Events (magic link: ), the exact cause of the block. You can create Custom Rules (Security -> WAF) to skip most components, including security level challenges, an expression like 
starts_with(http.request.uri.path, "/.well-known") and http.host eq "nostr.pasukaru.me"
with the Skip action skipping the specific component (that you found out via the security event) should do
p
I get this when using TOR:
c
Looks like a challenge, what do you see under Security -> Events?
p
It does appear there too:
c
A Security level challenge, if you've already got it on the lowest level possible it looks like that IP has really bad reputation. Should be able to just use the Custom Rule above ex.
If you want to skip security level on not just .well-known but everything on that host, you can just use 
Hostname
equals
nostr.pasukaru.me
I'm not sure why Page Rule Disable Security wouldn't work for that, or what exactly it skips at all, and a quick search doesn't yield any results. Page Rules will (eventually) be going away though, so using a Custom Rule is the recommended way
p
Tried adding a custom rule to skip basically everything, still getting challenges
c
I would wait a minute or two after creating it
p
Will do
c
fwiw I'm able to access that url on TOR without any issues
although that might just be luck/the exit node I'm using has a better ip reputation
p
Sometimes it works. Most of the times it doesnt. I guess it depends on which exit node you get. I can switch my tor identity and most of the time I do get challenges.
c
Since you have logging enabled for that rule, the Events tab should show every request with the Skip action, an easy way to tell if it's working or not (might need to select the last 30 mins rather then 24 hours, usually you see requests faster in it)
p
Yep, it does say skip now in the firewall events. But I still get a challenge ._.
c
hmm, as far as I know Pages itself shouldn't be doing any challenge stuff itself and it should be entirely dependent on your zone settings, hopefully it's just that it needs a second longer
p
Alright, couple more refreshes, now it seems to work. Will keep changing my identity a few more times to see if it is consistent now
Still getting challenges from time to time. Current IP from tor is also not showing up the firewall events at all.
c
Firewall Events aren't instant, they can take a hot minute to appear. It might help if you disable logging on the new rule, so you only see things still getting blocked. The only thing the "Skip" rule with everything enabled can't skip is DDoS Mitigations & Bot Fight Mode (free)
p
Bot fight mode is turned off. I don't have anything configured in Security > DDoS. Not sure what the default is. I'll try with an override with 'Essentially Off' sensitivity.
c
I would generally recommend a more targeted approach, only disabling exactly what you need on paths you need. DDoS Mitigation challenges/blocks are shown in your Events tab as well
p
Makes sense. For testing purposes that's fine for now. I'll turn everything back to normal later. Running out on things to turn off. I just also found the Configuration Rules (in addition to the page rules), where I also override the security level to Essentially Off for that domain.
c
Do you see the challenges in Security Events at all?
p
Only for other subdomains, not for nostr.pasukaru.me
c
Interesting. I tried resetting my identity a bunch with Tor and checking my threat_score, but it was always 0 or 1 out of 100 and never got challenged on your website. Wonder if it's something else, to do with the app itself or something
p
Yea no Idea. I don't think I'm getting exit nodes that are flagged as bot nets constantly. The app itself is only that single file, so not sure where else to look
Strange, i now have a tor identity where my other subdomains are not challenged, but nostr.pasukaru.me is. The only difference between the two is that I didn't add any of the configurations that lower the security level, etc. And those other subdomains are not hosted via cloudflare pages, its just DNS (proxied) and hosted on my hardware.
c
On that TOR identity that gets challenged, what's your IP Threat Score? https://threat_score.chaika.dev/
p
threat score is 1
I turned on the logs for the rule again, that IP still doesn't show up in the firewall events
I'll revert most of the changes for now. I think it's something related to orbot on android. I'm not having any of these issues in tor browser on windows. It's very strange. Anyways, thanks for your help so far!
c
shouldn't be enough to be blocked unless the Security Level is high, that's what I was getting as well
It does seem that way. It's strange though that you would get challenged on a pages subdomain but not on a non-pages subdomain without any overrides
p
Indeed. I can't make any sense out of this.
c
It's most likely that Pages itself has some security settings on it by default, except with a threat score of 1 you shouldn't be being challenged by its defaults. Would be easy enough to test though if you also get challenged trying to access https://nip-5.pages.dev/.well-known/nostr.json
perhaps you're failing some other check like Browser Integrity Check
e
Browser Integrity Check wouldnt give a challenge and would just throw > Error 1010: The owner of this website has banned your access based on your browser’s signature
PreviousNext
Powered by