Cloudflare rules blocking legitimate traffic

What is the name of the domain?

*.mope.io

What is the issue you’re encountering

Currently legitimate traffic is being rate limited or challenged when it shouldn’t. For example Cloudflare sends a challenge for simple API requests, which we never had in the other games/apps I’ve worked on. Some kind of rate limit rules also kick in, even though the game can just load ~30 assets on initial load (with more coming during gameplay, but don’t think that should be an issue, since the same asset system is being used for another game). We were testing an update on dev.mope.io, so some users report getting rate limited when they join and some of the requests to API fail due to CF challenging them.

What steps have you taken to resolve the issue?

We have examined all the rules for the domain there wasn’t anything that should’ve indicated that the requests would be blocked under current conditions. We made sure that all of the rate limiting rules are disabled. We have checked that the client doesn’t request too much data per second.

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

There is no 100% way to reproduce this issue.

Attempt to access https://dev.mope.io/
If you encounter a rate limit that’s the issue.
If you don’t open developer tools.
If you encounter 403 response at mope-accountserver-do.mope.io request, most likely CF challenged the api request (“Couldn’t connect to account server” will popup or “Failed to load purchases” if you are logged in), you can double check the headers to make sure it’s a CF issue.

May I ask if you’re using free or paid plan? :thinking:

I’d suggest you to double-check the Security → Events at Cloudflare dashboard under your Cloudflare account for your zone, or via direct link https://dash.cloudflare.com/?to=/:account/:zone/security/events.

You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered. Could be Managed Rules my best guess, otherwise Bot Fight Mode or Browser Integrity Check.

Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?

Just in case if you encouter some issues and/or errors, since it’s related to the WordPress, I’d suggest you to allowlist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

It knows to happen due to the using HTTP/1.0 and empty user-agent, therefore while executing some other related JSON/REST API request triggers the WAF rules (as it should normally).

Hi, thanks for your response. We are currently on a free plan. We also are not using WordPress.

I have looked at the Events and the people who get a managed challenge are triggered by an “unavailable” rule. My only assumption it’s a Cloudflare rule.
On the same topic is there a way to increase/override the rate limit threshold?

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.