lately my servers got attacked. Those attacks also reached my origin servers, because Cloudflare was not able to see the difference between real users and those Bot users (Botnet, different user-agents, different IPs).
To fix the problem, I was required to enable those Managed Challenge on all pages (“Under Attack” mode did pretty much nothing). With that WAF rule the attack stopped, but my real users received empty pages without CSS, JS, etc.
The rule is just (http.request.full_uri contains '[MY URL]") than “Managed Challenge”
The issue seems that Cloudflare asks every time for a “Challenge” for some CSS, Media, JS, etc. even though the user finished the Challenge on the requested DOC.
When I now double-click on for example “video-bg3.png”, it opens it up again, asks for challenge – after doing the challenge I can see the resource. When I then close it, and again double-click on it, it AGAIN asks for the challenge.
It’s obvious that no page will load correctly, when Cloudflare asks for a challenge on every resource, every time.
When disabling the WAF Rule, everything works correctly – It’s not my origin servers making the issues.
Opera GX might not be sending the challenge cookies to the paths you posted; if that’s the case, visitors will face another managed challenge and thus causing website malfunction.
If that’s the case, a “quick” fix (if that’s the case) is following the first guide I sent and challenging only the malicious requests.
Yes, you’re fully right. I compared the Network data things on Opera GX to Chrome. And on chrome in the cookies-header there is this “cf_clearance=****” while on Opera GX it’s fully missing.
