Can't prevent interstitial from showing when "I'm Under Attack" mode is set

I am having trouble getting around the Cloudflare DDOS interstitial when “I’m under attack” is set.

For example, I cannot load my manifest.json file, even though I have it set to bypass security. It still returns as a 503 where it is showing the interstitial. I set a Page Rule to Disable Security for my url, www.example.com/manifest.json, yet when I hit that URL it still shows an interstitial.

Likewise, I cannot whitelist my IP address to allow my IP to access the site without the interstitial showing. I have added an ‘Allow’ rule to my Firewall for my IP through Firewall → Tools, yet I still always get the interstitial. How can I fix these issues? Thanks

Disable the global I’m under attack mode and use a specific firewall / page rule or a set of rules instead to challenge users for the assets which don’t match the parameters you want to explicitly allow based on other criteria.

I’m Under Attack Mode WILL ALWAYS show an interstitial page (aka: JS or javascript challenge). The only “way” to disable this is to change security settings, if you don’t want to to show on certain pages you can create a page rule. Otherwise, just change security level in general. Also sorry to hear about the 503 error, HTTP error 503 occurs when your origin web server is overloaded. There are two possible causes discernible by error message:

  • Error doesn’t contain “cloudflare” or “cloudflare-nginx” in the HTML response body.

Resolution : Contact your hosting provider to verify if they rate limit requests to your origin web server.

  • Error contains “cloudflare” or “cloudflare-nginx” in the HTML response body.

Resolution : A connectivity issue occured in a Cloudflare data center. Provide Cloudflare support with the following information:

  1. Your domain name
  2. The time and timezone of the 503 error occurrence
  3. The output of www.example.com/cdn-cgi/trace from the browser where the 503 error was observed (replace www.example.com with your actual domain and host name)
    Could you provide the link that is giving the 503 error and/or the link that is giving the interstitial page?

Thanks but the 503 is the status code that is being returned from Cloudflare while the interstitial is loaded

Therefore, if I set a rule that more or less mimics the “I’m under attack” mode, the Page Rule to bypass security will work? Do you have any recommendations on a Firewall setting I can implement that will work more or less like how “I’m under attack” works?

Just send me the link, I want to see what happens when you try to visit the link.

Ok, what’s the link I want to see what happens if I try to open it.

A firewall rule of action JS Challenge is effectively IAUM. So an expression like `(http.request.full_uri ne “https://www.example.com/manifest.json”) or (ip.src ne 192.0.2.1)

Thanks a lot I will try this out. So will I have to manually add each IP address that, say a user asks me to add to whitelist their IP? Also, I added my IP in a ‘does not equal’ but it still gives my IP a challenge with an interstitial.

I don’t generally whitelist user IPs for my public facing applications. If i had a specific endpoint that I was managing with IP restrictions, if one wants to whitelist by IPs or better yet, not explicitly block if the IP doesn’t match (I don’t trust anyone so not explicitly blocked is as close as most people get) then you could potentially use lists and update a list via API.

Or use another mechanism like Cloudflare Access to protect a sensitive endpoints which allows a number of zero trust backed scenarios to expose sensitive endpoints.

In the corresponding WAF event in the UI is the IP listed there matching the one you have allowed?

Fair enough, I didn’t realize I could change the interval between JS tests so that realistically solves the problem for me.

But fwiw, my IP whitelist is still not working for my own IP. And yes, it matches what comes through as the IP on my web app.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.