cURL request to zip triggers managed challenge, cannot bypass

Since some time recently, Cloudflare has started to challenge PHP cURL requests to zip files on our server, effectively blocking the cURL. This does not happen from all locations, but from many. We use cURL for an application installer, which now does not work for many clients because of this.

The firewall event lists as “Managed Challenge”, and there does not seem to be anything we can do to prevent this behavior (for example for requests to *.zip files). I tried to add a firewall “allow” rule, but it seems the “managed challenge” does not care about this, as you can see in the below screenshot:

FYI all security settings are default. I see that this “managed challenge” is also blocking API requests. How can this be bypassed?

If you open up that first Managed Challenge log entry (click on the >), can you please post a screenshot of that as well? That should show more information about which Managed Rules setting is triggered.

To make things even less helpful, “Ruleset name” and “Rule name” are listed as “Unavailable”.

That looks like some leftover rule from a ruleset that has since changed. I think there’s an API call that can delete a Rule ID, but my memory’s a bit foggy right now.

It might be this one:
https://api.cloudflare.com/#account-rulesets-delete-an-individual-rule

Thanks, I tried that, and it says “Authentication error” although I know I included the correct API keys. Maybe this cURL is blocked also :sweat_smile:

In the meantime, I received response from customer support stating that I had to add an “exception” to “managed rules”. The problem is, this requires Cloudflare PRO. Really not happy about this “new WAF” that can’t be bypassed.
https://developers.cloudflare.com/waf/managed-rulesets/waf-exceptions/define-dashboard/

I managed to bypass the challenge by whitelisting the specific IP (action: allow) under IP Access Rules. This is a fix for one specific user, but not a solution obviously.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.