Getting a 403 when using the new beta Speed Observatory feature in Cloudflare. Looks like Bot Fight is the culprit, disabling Bot Fight fixes it.
Since Bot Fight seems to supersede all custom rules, I don’t think there’s anything I can do about it but turn off Bot Fight?
I tried adding an exception in the WAF for Known Bots and the UA string Observatory uses, but it didn’t work. As expected I believe, since Bot Fight ignores those.
Your conclusion is correct as long as you are talking about Bot Fight Mode (free) and not Super Bot Fight Mode (Pro or higher). Super Bot Fight Mode can be skipped with Custom Rules, a feature which was reported to eventually be making its way to free users: Super Bot Fight Mode is now configurable! (in the last paragraph).
It was stated a while ago that they were trying to make the new Speed Test a known bot excluded from Bot Fight mode as well: Bug: Cloudflare's speed test blocked by "Bot fight"-Mode - #2 by sdayman, but nothing yet as far as I know.
At the moment, your only option is to disable Bot Fight Mode. For what it’s worth, even Cloudflare’s docs don’t recommend enabling it when not under attack: FAQs · Cloudflare bot solutions docs
- BFM and SBFM are high security features intended to quickly help customers under active attack stop as many bots as possible. Due to the high security threshold, false positives do sometimes happen.
Hm dang, that’s what I was afraid of. I enabled it to block user signup spam, though I also have a custom role targeting the register page now that will hopefully get most of them. I guess I’ll just leave it off for now.
I have been quite pleased with the results from deploying Cloudflare Turnstile.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.