Cloudflare blocks some of my users from accessing my API

Hello all, I have an API that was working fine before I moved to cloudflare. Recently (after moving my domain to cloudflare) I keep getting some users complaining that they cant use my mobile app anymore. I have noticed that these users are on mobile data usually and from completely different region.
To try and fix this issue, I added a header to all the requests my mobile app makes to my API and I created a WAF rule to filter that header and skip security checks. But for some reason, it keeps blocking some people.
As a desperate attempts, I disabled Bot fight mode but still the same issue. What can I do to fix this please

You will need to check https://dash.cloudflare.com/?to=/:account/:zone/security/events and find out why the users were blocked first.

How to proceed then depends on why they were blocked.

1 Like

Thanks for you reply. My issue here is that I see nothing marked blocked in the logs. But still till today, I get some users complaining that they cant reach my API. this is really frustrating. I even tried to add a WAF rule that skips all cloudflare services to see if the issue will go away but still no. I dont know what I can do anymore

What is your domain? Maybe it’s a DNSSEC problem and nothing to do with the firewall.

the domain is heyamapp.com
I disabled dnssec also on clouflare UI to see if it will work but still some people have that issue

when I disable cloudflare proxy it looks like everybody can access the server. But this is not the goal as I came to cloudflare for the security it offers.

Can you ask them why they can’t reach it? Do they get a response by the WAF that they got blocked? Does the connection simply timeout? Does the DNS resolution fail?

1 Like

they use my mobile app. the call just timeout. When I check my API logs, I dont event see those API calls. this means the request get blocked at cloudflare level. I also noticed that this only happens for users on cellular networks (mobile data)

If Cloudflare blocked something, the result would not be a timeout, but a block page.

If they are using your app, you should be able to collect some more information to debug the issue. There is really no way to find out what’s wrong with nothing to go on.

Can you find any commonalities between the users that experience problems?

1 Like