Can't disable JS Challenge for NuGet restore

We have a TeamCity continuous integration system running a NuGet package feed. NuGet restores, but just when initiated from an Azure DevOps agent, get a JS Challenge by the Bot fight mode service. I’d like to keep Bot fight mode on in general but allow such requests:

Event JSON:

  "action": "jschallenge",
  "clientASNDescription": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "clientAsn": "8075",
  "clientCountryName": "US",
  "clientIP": "",
  "clientRequestHTTPHost": "",
  "clientRequestHTTPMethodName": "GET",
  "clientRequestHTTPProtocol": "HTTP/1.1",
  "clientRequestPath": "/guestAuth/app/nuget/feed/OrchardCore_LombiqFork/Release/v3/index.json",
  "clientRequestQuery": "",
  "datetime": "2021-04-22T21:49:56Z",
  "rayName": "6442109a9a1d5869",
  "ruleId": "bot_fight_mode",
  "rulesetId": "",
  "source": "botFight",
  "userAgent": "NuGet .NET Core MSBuild Task/5.9.1 (Microsoft Windows 10.0.17763)",
  "matchIndex": 0,
  "metadata": [],
  "sampleInterval": 1

I tried everything that I could think of but no firewall rule matches this, no matter how simple it is. For example, shouldn’t this allow such requests? Because it doesn’t.

I tried filtering on ASN, path, host, user agent, none of them match. Instead of the Allow action I also tried Bypass, without luck. The only way to allow such requests is to disable Bot Fight Mode altogether, not even disabling proxying for the subdomain will work. Or is Bot Fight not something you can disable from firewall rules (see: Please, add bypass for Super Bot Fight Mode)?

What can I do to disable the JS challenge for such requests? Any help would be greatly appreciated!

Unfortunately you can’t selectively disable Bot Fight Mode. It’s either On or Off.

1 Like

Ah I see, that’s a pity. I found this feature request in the meantime and added my vote: Page Rules for Bot Fight Mode

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.