Accessing endpoint from Digital Ocean gives a Cloudflare HTML response

An application running on a DO droplet is having trouble accessing the api of boldapps.
When accessing the endpoint, I do not succeed in reaching the API server. Instead, I get a Cloudflare html response.
This has been happening for more than a month.

It works every time on my dev server or from an EC2 instance I tested it on.

A minimally reproducible example is to run

curl --get “https://ro.boldapps.net/api/auth/third_party_token?shop=3tt-coffee.myshopify.com&handle=GrowthPath

This should result in an error from the end point, as I have not provided the header with the API key.
For example, the response from my development machine is:

[email protected]:~$ curl --get “https://ro.boldapps.net/api/auth/third_party_token?shop=3tt-coffee.myshopify.com&handle=GrowthPath
{“message”:“Unauthorized”}[email protected]:~$

This is the expected response.

I have an EC2 instance running in Jakarta:

same thing: the expected response.

curl --get “https://ro.boldapps.net/api/auth/third_party_token?shop=3tt-coffee.myshopify.com&handle=GrowthPath
{“message”:“Unauthorized”}[email protected]:~$

But on the DO droplet, the response is an HTML file.
Bold support says it is not their problem, and I think they are correct.

I do not know what could cause this error, as I do not know anything about Cloudflare.

[email protected]:~# curl --get “https://ro.boldapps.net/api/auth/third_party_token?shop=3tt-coffee.myshopify.com&handle=GrowthPath

Just a moment... html, body {width: 100%; height: 100%; margin: 0; padding: 0;} body {background-color: #ffffff; color: #000000; font-family:-apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Helvetica Neue",Arial, sans-serif; font-size: 16px; line-height: 1.7em;-webkit-font-smoothing: antialiased;} h1 { text-align: center; font-weight:700; margin: 16px 0; font-size: 32px; color:#000000; line-height: 1.25;} p {font-size: 20px; font-weight: 400; margin: 8px 0;} p, .attribution, {text-align: center;} #spinner {margin: 0 auto 30px auto; display: block;} .attribution {margin-top: 32px;} @keyframes fader { 0% {opacity: 0.2;} 50% {opacity: 1.0;} 100% {opacity: 0.2;} } @-webkit-keyframes fader { 0% {opacity: 0.2;} 50% {opacity: 1.0;} 100% {opacity: 0.2;} } #cf-bubbles > .bubbles { animation: fader 1.6s infinite;} #cf-bubbles > .bubbles:nth-child(2) { animation-delay: .2s;} #cf-bubbles > .bubbles:nth-child(3) { animation-delay: .4s;} .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; } a { color: #2c7cb0; text-decoration: none; -moz-transition: color 0.15s ease; -o-transition: color 0.15s ease; -webkit-transition: color 0.15s ease; transition: color 0.15s ease; } a:hover{color: #f4a15d} .attribution{font-size: 16px; line-height: 1.5;} .ray_id{display: block; margin-top: 8px;} #cf-wrapper #challenge-form { padding-top:25px; padding-bottom:25px; } #cf-hcaptcha-container { text-align:center;} #cf-hcaptcha-container iframe { display: inline-block;}
  <meta http-equiv="refresh" content="35">
//

Please turn JavaScript on and reload the page.

<div id="cf-bubbles">
  <div class="bubbles"></div>
  <div class="bubbles"></div>
  <div class="bubbles"></div>
</div>
<h1><span data-translate="checking_browser">Checking your browser before accessing</span> ro.boldapps.net.</h1>

<div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none">
  <p data-translate="turn_on_cookies" style="color:#bd2426;">Please enable Cookies and reload the page.</p>
</div>
<p data-translate="process_is_automatic">This process is automatic. Your browser will redirect to your requested content shortly.</p>
<p data-translate="allow_5_secs" id="cf-spinner-allow-5-secs" >Please allow up to 5 seconds&hellip;</p>
<p data-translate="redirecting" id="cf-spinner-redirecting" style="display:none">Redirecting&hellip;</p>
<script type="text/javascript">
  //<![CDATA[
  (function(){
      var a = document.getElementById('cf-content');
      a.style.display = 'block';
      var isIE = /(MSIE|Trident\/|Edge\/)/i.test(window.navigator.userAgent);
      var trkjs = isIE ? new Image() : document.createElement('img');
      trkjs.setAttribute("src", "/cdn-cgi/images/trace/jschal/js/transparent.gif?ray=6d670201cea54b62");
      trkjs.id = "trk_jschal_js";
      trkjs.setAttribute("alt", "");
      document.body.appendChild(trkjs);
      var cpo=document.createElement('script');
      cpo.type='text/javascript';
      cpo.src="/cdn-cgi/challenge-platform/h/g/orchestrate/jsch/v1?ray=6d670201cea54b62";
      
      window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.indexOf('?') !== -1 ? '?' : location.search;
      window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;
      if (window._cf_chl_opt.cUPMDTk && window.history && window.history.replaceState) {
        var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;
        history.replaceState(null, null, "\/api\/auth\/third_party_token?shop=3tt-coffee.myshopify.com&handle=GrowthPath&__cf_chl_rt_tk=RERV2dS0K0NW1sDOERwbUbKiJ49g31bEib2Vnj6gUUo-1643674762-0-gaNycGzNBz0" + window._cf_chl_opt.cOgUHash);
        cpo.onload = function() {
          history.replaceState(null, null, ogU);
        };
      }
      
      document.getElementsByTagName('head')[0].appendChild(cpo);
    }());
  //]]>
</script>
      <div class="attribution">
        DDoS protection by <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing/" target="_blank">Cloudflare</a>
        <br />
        <span class="ray_id">Ray ID: <code>6d670201cea54b62</code></span>
      </div>
  </td>
 
</tr>
[email protected]:~#

Update: Digital Ocean says Cloudflare has blocked a range of their Singapore IP addresses. I have moved my server to a different region.
How does Cloudflare manage this? Is it a per client setting? Does a block reset after time (this one doesn’t seem to have). How do third parties such as myself get support for this?

Cloudflare very rarely blocks anything.

From that same droplet, can you ‘curl’ other sites on Cloudflare?

Back to the block…when something is blocked, it should show up in that account’s Firewall Events Log.

You’d have to work with the site owner to figure out why that traffic is blocked.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.