Bot Fight Mode challenging ShipStation

I had Bot Fight Mode turned on in front a domain that is running a WooCommerce e-store that exports orders to ShipStation for fulfillment.

We have had this exact configuration as long as Bot Fight Mode has existed (and in fact have the same configuration for other domains with no issue).

This morning Bot Fight Mode started challenging ShipStation’s agent which polls an API on the store for new orders for this one particular domain, making it impossible for them to access the API and download new orders.

The IP addresses of the ShipStation agents are transient AWS addresses, so I can’t whitelist them. These are not bad bots. Is there anything I can do to make Bot Fight Mode ignore these requests other than turning it off altogether?

Hello, @pjv. Did you ever find a solution to this matter? ShipStation is giving me the same problem. When I turn off the Bot Fight Mode, ShipStation gives me a 500 error. When I enable the Bot Fight Mode, it renders a 503 error. On or off seems to not work, which is quite strange.

I haven’t found any solution other than disabling Bot Fight Mode for the domain that it’s challenging the shipstation bots on. Again it’s strange that I have other domains configured identically that also have the same shipstation bots consuming the same API without getting challenged.

As far as I know, if you are receiving a 500 error with Bot Fight Mode turned off, that is an actual server error that has nothing to do with Cloudflare. With Bot Fight Mode turned off, you may want to look at your server’s logs to determine what is causing it to throw a 500 error.

@pjv My developer and I figured out the above issue. It was my Cloudflare workers causing the problem. Once I deleted the workers, it allowed Shipstation to sync and upload Woocommerce orders. I still whitelisted ShipStations 4-5 IP addresses to make sure it allowed them through my firewall.

1 Like

I’ve had this same issue and despite not having any workers and writing some firewall rules, this doesn’t appear to fix the issue.

I believe it’s because Bot Fight Mode isn’t following the rules and has it’s own. Either that or I’m writing them long, would be interested if anyone else found a way around this. I’ve written user agent and IP rules to allow the traffic but it still gets blocked.

1 Like

We are having the same issue – orders are unable to refresh in Shipstation when Bot Fight Mode is enabled. We tried everything mentioned and do not have workers set up. There must be a way to have Bot Fight Mode work with Shipstation?

Having the same issue, even with bot fight mode disabled entirely. What could be causing this?

In setting up a client account with Shipstation and WooCommerce today, this is STILL an issue. I don’t understand why I have to reduce my security settings (turn Bot Fight off) simply to use an integration (given I have whitelisted Shipstation domain/IP).

What is Cloudflare doing to help rectify this situation? There has to be a way to make this work I would think.

I haven’t found any solution other than disabling Bot Fight Mode for the domain that it’s challenging the shipstation bots on.

How were you able to disable Bot Fight Mode for a specific domain?

I, and others (according to numerous posts), have been unable to set up any firewall rules that override what Bot Fight Mode does. In my case Cloudflare is prevent the ShipBob service (a similar service to Ship Station).

I get the impression Cloudflare is doing nothing about it. I see posts about this issue going back quite a ways … and so far the issue persists. It’s ridiculous.

We face same issue. Presently only solution is disable the Fight Bot Mode to maintain the store connection…in this case Magento Store. turn on Fight Bot…connection lost forbidden. Turn off - all is great. In Cloudflare White labeled every combination of url’s provided by shipstation ss1 and ship1 through ss13 and ship13. All fail and lose the connection when Fight Bot enabled. ShipStation provided the full list of AWS IP’s however in a json file. Trying to figure out a way to utilize this and turn into a rule to enable all ip’s in the group. Based on the number of ips (not a range) it seems rather daunting to try to make a manual rule. Any one know a way to use the json file to create a list or is there a better (easy) way to do this to at least try it. Be nice to have the Fight Bot mode re-enabled.

In case someone else stumbles into this beating their head against the wall. Still no solution. We went so far as to create a firewall rule to allow each of the variations of shipstation urls.
all the way through ss13.shipstation in both combinations ss1 and ship1.
We also obtained the json file from shipstation that included the full range of AWS ips. We used IPv4 Extractor - Online Regex Tools | to extract the ips from the json file. Used excel to remove duplicates. Within Cloudflare navigate to your account, then preferences, then Lists. Create a new list name and on the next page it allows to upload a csv file. Take the extracted list minus the duplicates and save as csv. Import the new list. Create a new firewall rule expanding on the url list. Use ip source address>is in list>then your new list name. Allow.
However even after all of that if you re-enable Super Bot Blocker to Block the store connection is lost and becomes 403 Forbidden. Turn off Super Bot Blocker and store connection is restored. Wasted enough time on this. If someone find the solution please do share.

Try adding the IPs to Firewall » Tools » IP Access Rules with an Allow action instead. I’ve had to do this with a few bots that aren’t on Cloudflare’s whitelist.

IP Access rules wont allow a list that I am aware of. The AWS IP list exceeds 5,000 potential different ip’s shipstation api could possibly be using.

1 Like

and the list of ip’s isn’t a clean easy range to reference. It’s all over.

No, they don’t. Offhand, I believe you can only set one access rule per individual IP. Unfortunately, that’s the only way I know of though to bypass the bot fight mode for bots that aren’t whitelisted.

The services using AWS can get themselves dedicated/static IPs, but generally, they don’t want to pay extra for them though. While I’ve not used ShipStation myself, from previous replies here, it appears as though their AWS IPs are transient. And, realistically, white-listing an entire Amazon ASN for AWS isn’t a particualrly good idea anyway.

1 Like

appreciate the info. I may see if I can get sr tech from shipstation to expand on their setup to narrow down the possible ip’s but when we reviewed log files it showed over 200 unique ip’s accessing the api. Agree with you Bot Blocker and Whitelabeled url’s/ip’s clearly are referencing different rules within Cloudflare.

Having the same issue, it would be useful if Shipstation and Cloudflare could talk to each other about this issue.

1 Like

Can anyone share a screenshot of that blocked or challenged request at Firewall Events from the Cloudflare dashboard? :thinking:

Which service does it trigger and why, if so?
Is it HTTP/1.0 request? What user-agent does it use?
Does it come to the Challenge page or?
Despite whitelisting the IPs, if you disable Bot Fight Mode, does it work or still error which might be caused due to Browser Integrity Check option?

Might be better for ShipStation to submit a request to Cloudflare to make sure their Bot becomse a verified one, if that would help a bit.

Same issue here.
IPs for ShipStation change frequently and cannot be whitelisted which is the preference in any situation.

When enabling bot fight mode, Shipstation triggers connection errors.
WAF rules will not bypass Bot fight mode for ShipStation which begs the question why…

Allowing the hostname doesn’t work.
Allowing the User Agent (Shipstation) doesn’t work.
Allowing the ASN doesn’t work.
Allowing the query string doesn’t work.
The only way around this at this moment is to find another shipping fulfillment application or turn off bot fight mode and wait for Cloudflare and Shipstation to work together.