Since some time recently, Cloudflare has started to challenge PHP cURL requests to zip files on our server, effectively blocking the cURL. This does not happen from all locations, but from many. We use cURL for an application installer, which now does not work for many clients because of this.
The firewall event lists as “Managed Challenge”, and there does not seem to be anything we can do to prevent this behavior (for example for requests to *.zip files). I tried to add a firewall “allow” rule, but it seems the “managed challenge” does not care about this, as you can see in the below screenshot:
If you open up that first Managed Challenge log entry (click on the >), can you please post a screenshot of that as well? That should show more information about which Managed Rules setting is triggered.
That looks like some leftover rule from a ruleset that has since changed. I think there’s an API call that can delete a Rule ID, but my memory’s a bit foggy right now.
Thanks, I tried that, and it says “Authentication error” although I know I included the correct API keys. Maybe this cURL is blocked also
In the meantime, I received response from customer support stating that I had to add an “exception” to “managed rules”. The problem is, this requires Cloudflare PRO. Really not happy about this “new WAF” that can’t be bypassed.
I managed to bypass the challenge by whitelisting the specific IP (action: allow) under IP Access Rules. This is a fix for one specific user, but not a solution obviously.
