Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
I enabled bot fight mode and I think it caused a script not to run. The script runs on a webhook and it stamps a PDF with customer info, and then emails the customer a link to download the stamped PDF. However, when I disabled bot fight mode, the script is still not working. Is there something else I need to do after disabling bot fight mode?
May I ask does it add a stamp via some of the Cloudflare service(s), or you’re doing this locally on the server, via some URL request?
Got my answer here:
When you open-up Developer Tools (F12) and navigate to the Console tab, do you see any errors such as 404 HTTP request(s) for the particular script, or X-Content-Type-Options: nosniff or any other related to it?
Does the script follow the correct HTTP route structure and the links, e.g. wonder if you might have something hard-coded to localhost?
Wonder if it triggers any Security Events, if so I’d suggest you to double-check the Security → Events at Cloudflare dashboard under your Cloudflare account for your zone, or via direct link https://dash.cloudflare.com/?to=/:account/:zone/security/events.
You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered.
Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?
Ah, never mind, I just got all the emails at once, seems there was just some delay on the server.
However, something is still odd. The way the script works is this:
Someone buys an online course in WooCommerce, then they get enrolled in an associated course in the course platform. I had a developer make a script that runs on my server that receives the webhook data, does the PDF stamping an emailing of the download link.
Early this morning, I received one such order, so I checked the sent box and saw that no PDF email was sent. I went into the security events and found this at the time of the order:
So that’s when I disabled bot fight mode, and did a manual enrollment for the customer directly via the course platform, and the PDF email got sent to him.
However, when I do manual enrollments, I don’t see these same events in the log.
Anyways, my question - if I want to have bot fight mode enabled, what kind of rule could I create so that the script is allowed to run?
From what I remember and still experience, quite lot of bad traffic comes from the particular AS from the shared image, therefrom I guess if you’re on a Free plan the only thing you could is to disable Bot Fight Mode, otherwise if on paid plan type you could add Exception.
Nevertheless, if this is the IP address of your server and where the Website is hosted, you could give it a try and add it to the WAF → Tools → IP Access Rules with the “Allow” action for your Website.
I believe the course platform runs on AWS, so the request is coming from there to the webhook.php script that is on my server. That 52. is not the IP address of my web server for my domain. Could I make an exception rule for that ASN? or for that path?
I just read in the docs that bot fight mode “Cannot be customized, adjusted, or reconfigured via WAF custom rules” so does that mean it’s an all or nothing setting?
