Cloudflare Hostname HTTP validation don't use the User Agent specified in documentation

Jiwoks · September 6, 2023, 12:12pm

I’m adding Cloudflare hostnames and trying to validate them with the HTTP method like explained in the documentation https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/
It’s specified in the documentation that the validation request has a “Cloudflare Custom Hostname Verification” user agent.

Cloudflare will access this token by sending GET requests to the http_url using User-Agent: Cloudflare Custom Hostname Verification.

However the user agent seen on my end is bushbaby/2023.8.12

I need to differentiate a Cloudflare acme verification compared to other verification I can have on the same server. I would like to rely on something that won’t change, and according to the documentation that’s not what I should receive.

Does anyone have the same behavior ?

Cyb3r-Jak3 · September 6, 2023, 9:45pm

Are you sure this is a request coming from Cloudflare?

Jiwoks · September 7, 2023, 9:08am

Thanks for answering.

As the validation url called is the right one, I guess that’s Cloudflare validation request.
I don’t call this url on my side.
Plus, I just finished the validation, and it’s working.

In fact, there are multiple challenge occurring when you add a custom hostname.
Here is the log I have :

Host: subdomain.mysite.com
User Agent: Cloudflare Custom Hostname Verification
{"level":30,"time":1694072902311,"pid":22923,"hostname":"sheldon","name":"redbird","msg":"Proxying subdomain.mysite.com/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4 to localhost:8081/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4","v":1}

Host: mysite.com
User Agent: Cloudflare Custom Hostname Verification
{"level":30,"time":1694072902337,"pid":22923,"hostname":"sheldon","name":"redbird","msg":"Proxying mysite.com/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4 to localhost:8080/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4","v":1}

Host: mysite.com
User Agent: Cloudflare Custom Hostname Verification
{"level":30,"time":1694072902342,"pid":22923,"hostname":"sheldon","name":"redbird","msg":"Proxying mysite.com/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4 to localhost:8080/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4","v":1}

Host: mysite.com
User Agent: Cloudflare Custom Hostname Verification
{"level":30,"time":1694072902384,"pid":22923,"hostname":"sheldon","name":"redbird","msg":"Proxying mysite.com/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4 to localhost:8080/.well-known/cf-custom-hostname-challenge/2cfae0b7-f9d7-47af-a2dd-ca2926737bb4","v":1}

Host: subdomain.mysite.com
User Agent: bushbaby/2023.8.12
{"level":30,"time":1694072904072,"pid":22923,"hostname":"sheldon","name":"redbird","msg":"Proxying subdomain.mysite.com/.well-known/acme-challenge/IN_dJrN2THNcj9I4LPNemhxrK-BgyFBO7Fd5QXrEvCFtQLdOukpXkDaBb8r61KnB to localhost:8081/.well-known/acme-challenge/IN_dJrN2THNcj9I4LPNemhxrK-BgyFBO7Fd5QXrEvCFtQLdOukpXkDaBb8r61KnB","v":1}

The 3 first requests are made as soon as the POST request to the API has been done. It’s the prevalidation request.
The last one few time later, is the realtime HTTP validation. And this one has the bushbaby/2023.8.12 user agent.

One other weird thing is that when you register multiple hostname for the same base domain, and you have set CNAME for each one.
Only one is automatically activated with realtime validation. https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/realtime-validation/

Cyb3r-Jak3 · September 7, 2023, 9:37pm

Thanks for logs. I’ve escalated this issue

kody · September 7, 2023, 11:43pm

Thanks @Cyb3r-Jak3, raised a thread internally to see whether I can get an answer (and then update the docs accordingly).

kody · September 8, 2023, 2:02pm

Okay, raised this internally and technically the docs and your experience are both correct.

Cloudflare Custom Hostname Verification → Hostname verification
bushbaby/xxx → Pre-checks for certificate validation

The team said they’re looking at using a more public-friendly user agent for the prechecks. At that point, we’ll update the docs to talk about both of them.

system · September 11, 2023, 2:03pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.