I have two servers, one of them hotlinks images from the second one. After enabling the antibot protection, this functionality stopped working, and I saw in Analytics that requests from server IP are mitigated by antibot protection
What steps have you taken to resolve the issue?
Created WAF custom rule with my server IP in the IP Source Address field and action “Skip” with all the possible checkboxes checked to skip all protection methods (I tried different combinations of checkboxes, none worked)
When it didn’t help, I created the WAF IP Access rule, and it worked as intended and my image hotlinking works again.
But I read online that custom rules is the recommended way, so the question is what’s wrong with the custom rule matching the source IP?
The rule that I created is on the screenshot (server IP changed)
If by Anti Bot, you mean Bot Fight Mode (BFM), then this is because of the limited control you have over it:
BFM has limited control. You cannot bypass or skip BFM using the Skip action in WAF custom rules or using Page Rules. BFM will be disabled if there are any IP Access rules present. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at Bot Management for Enterprise, which gives you the ability to precisely customize your security threshold and create exception rules as needed. FAQ · Cloudflare bot solutions docs
In essence, by creating an IP Access Rule you have entirely disabled it. Pro’s Super Bot Fight Mode (SBFM) can be skipped via Custom Rules, and Custom Rules are better because of their granular control over matching and what is skipped. Free’s Bot Fight Mode can only be entirely enabled/disabled.