403 /_next/image errors when "I'm under attack" mode enabled

Hi - I’ve recently switch to Cloudflare and been impressed by the reduction on bad traffic reaching my site.

My setup is nginx proxy to Express running Nextjs (dynamic SSR).

I’m having an issue with 403 image requests when I enable “I’m under attack” mode, which ideally I’d like to leave on most of time to prevent the bots hamming my site looking for nonexistent admin paths / config files etc. I have a soft 404 page, therefore the full site needs to load in order to serve a 404 to the user, which causes severe server load when these ‘attacks’ are occurring.

To be clear, this does NOT occur when I’m in any lower level of security in Cloudflare.

When I’m in “I’m under attack” mode I get this server error:

⨯ upstream image response failed for https://elkliandhart.com/media/photos/P1000382-2880x2523.jpg 403
ImageError: "url" parameter is valid but upstream response is invalid
    at fetchExternalImage (server-path/node_modules/next/dist/server/image-optimizer.js:568:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async NextNodeServer.imageOptimizer (server-path/node_modules/next/dist/server/next-server.js:650:48)
    at async cacheEntry.imageResponseCache.get.incrementalCache (server-path/node_modules/next/dist/server/next-server.js:182:65)
    at async server-path/node_modules/next/dist/server/response-cache/index.js:90:36
    at async server-path/node_modules/next/dist/lib/batcher.js:45:32 {
  statusCode: 403
}
⨯ upstream image response failed for https://elkliandhart.com/media/photos/P1000382-2880x2523.jpg 403

Notes

IPADDRESS - - [19/Apr/2024:13:59:34 +0200] "GET /_next/image?url=https%3A%2F%2Felkliandhart.com%2Fmedia%2Fphotos%2FP1000382-2880x2523.jpg&w=3840&q=95 HTTP/2.0" 403 57 "https://elkliandhart.com/products/inky-night-traffic-trails-beneath-skyscrapers" "UA removed"

When trying to open this URI in the browser: https://elkliandhart.com/_next/image?url=https%3A%2F%2Felkliandhart.com%2Fmedia%2Fphotos%2FP1000382-2880x2523.jpg&w=3840&q=95 the response in "url" parameter is valid but upstream response is invalid" i.e. the same issue.
The moment I disable “I’m under attack” then I can access this exact URI immediately.

How do I allow these requests to avoid the Managed Challenge, when in the highest security level?

I’ve tried adding some allowlist rules to WAF, neither of which work (however events for these rules to show in the events log), as ‘Skip’ but still the 403 error persists:

(http.request.uri.path contains "/_next/image") or (http.request.uri.path contains "/media")

Any advice or ideas to try on this? How can I allow request to /_next/image that are made from my server, to bypass these checks??

And just to reiterate, if I lower the Security Level <= “High” then this 403 issue doesn’t occur.

Thank you in advance for any advice or ideas you may have on this!
Jake

I’ve disabled “I’m under attack”, so the broken links in this post are no longer broken.

I REALLY want to fix this issue, so I can actually use the highest level of security most of the time.

And to clarify, the issue isn’t restricted to a single image, it affects all that use next’s built-in image-optimiser.

Welcome to the Cloudflare Community. :logodrop:

Under Attack Mode is not intended to be left on all the time and it is certainly possible that it can break site functionality as it adds an interstitial page that can only be passed by a human.

From the Under Attack Mode documentation:

It is designed to be used as one of the last resorts when a zone is under attack

As @epic.network says, don’t use UAM all the time.

From your description (I’m not a developer so apologies if wrong/stupid!)…

It looks like it is when your server requests the image from itself to optimise when you have the issue.

Does your server have a hosts entry so elkliandhart.com resolves to itself? If not and the request is going via Cloudflare then, apart from being slower, it also means that when UAM is enabled, your server requests to itself will be challenged too (which it can’t pass).

2 Likes

@sjr thank you — that’s the fix!

Adding my domain name to /etc/hosts to point to my internal server IP fixed this issue. Now those images load when in UAM mode. Super.

# /etc/hosts
INTERNAL.IP.ADD.HERE                     elkliandhart.com

Thank you for your quick reply and working solution :+1:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.