Cloudflare is blocking NewsBlur RSS feed fetchers

I run NewsBlur, a popular RSS news reader and a number of users have reported that all of the Cloudflare-backed RSS feeds have stopped working. The reason is that Cloudflare is returning a 403 Forbidden to my feed fetchers. The IP addresses of NewsBlur’s fetchers can be found at: https://www.newsblur.com/api/ip_addresses/.

The issue started a couple months ago when I switched backend servers from Digital Ocean to Hetzner. How can I add NewsBlur to a allowlist/allowlist or re-establish trust? As it is, NewsBlur tries to be a good web citizen and fetches on a regular schedule and backs off when a feed doesn’t return a 200 OK or 304 Not Modified.

Note that the feeds work when running a local-hosted version of NewsBlur, so it’s not a configuration problem on NewsBlur’s end.

I’d like to add to this…I’ve at least one RSS feed through Newsblur that (appears) to be blocked by Cloudflare

That feed is RedState

Another feed that is having issues (but I’m not sure if they are a cloudflare customer) is
https://www.dailywire.com/feeds/rss.xml

If you are actively blocking Newsblur from these two RSS sites, I would ask you remedy them, and add Newsblur as a trusted entity.

Am I understanding it good enough, if I am under the impression that NewsBlur act as a middleman to a lot of third party RSS feeds?

For example, my Android phone will be connecting directly to NewsBlur.

NewsBlur is then connecting from the IP addresses mentioned on /api/ip_addresses to e.g. https://one-cloudflare-backed.example/feed.rss and https://another-cloudflare-backed.example/rss.xml, and then NewsBlur is then seeing the 403’s by trying to access these third party links?

Many website owners block traffic from AS numbers (whole ISPs) of hosting providers, such as for example Digital Ocean and Hetzner that you you’re mentioning, as well as of course many others.

The amount of automated (bot) traffic, that is considered ill, is unfortunately too huge from these kind of providers, to make it scale for the eventual maintenance required, if the website owner(s) should be blocking or allowing traffic selectively.

In addition, many website owners frown on the use of VPN as well, and as VPN most typically come from such hosting providers, it will often appear to be a win-win for them, to block the whole AS number (ISP) at once.

Such decisions are made by the individual website owner(s), and not by Cloudflare.

I am happy to hear this part. :+1: to that.

If my understanding as a middleman is correct above, it could be one (or some) website owner(s) that were not blocking Digital Ocean, but actually blocked Hetzner in their WAF.

According to https://radar.cloudflare.com/traffic/verified-bots, it seems like you are already verified under Verified Bots, with the category “Feed Fetcher”.

If you have been verified for a while, I would say that this indicate that the RSS feed operator, e.g. the owner of one-cloudflare-backed.example or another-cloudflare-backed.example above, hasn’t configured the Verified Bots to pass through their WAF configuration.

In that case, the only option you have, would be to reach out to the operator(s) of e.g. one-cloudflare-backed.example and another-cloudflare-backed.example, considering the above example, and then ask them nicely to allow your traffic in their WAF configuration.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.