lately my servers got attacked. Those attacks also reached my origin servers, because Cloudflare was not able to see the difference between real users and those Bot users (Botnet, different user-agents, different IPs).
To fix the problem, I was required to enable those Managed Challenge on all pages (“Under Attack” mode did pretty much nothing). With that WAF rule the attack stopped, but my real users received empty pages without CSS, JS, etc.
The rule is just (http.request.full_uri contains '[MY URL]") than “Managed Challenge”
The issue seems that Cloudflare asks every time for a “Challenge” for some CSS, Media, JS, etc. even though the user finished the Challenge on the requested DOC.
When I now double-click on for example “video-bg3.png”, it opens it up again, asks for challenge – after doing the challenge I can see the resource. When I then close it, and again double-click on it, it AGAIN asks for the challenge.
It’s obvious that no page will load correctly, when Cloudflare asks for a challenge on every resource, every time.
When disabling the WAF Rule, everything works correctly – It’s not my origin servers making the issues.