DNS Proxy problem

I ran the Diagnostic Center test and I got errors on HTTP and SSL/TLS:

HTTP:

  • Check the HTTPS status

SSL/TLS

  • Check if redirecting unencrypted HTTP traffic works
  • Check the site for mixed content

I already tried every possible way to fix these errors and currently I have enabled “Always Use HTTPS”, “Automatic HTTPS Rewrites” and I set SSL/TLS on Complete (Strict).
I realized that these errors disappears when I uncheck every the DNS Proxy. Of course, once enabled the proxy again it show the same errors.

Is there a way to solve this issue which seems to be an internal error, made by some misconfiguration, more than anything else?

Thank you in advance for all the help you could give to me.

May I ask what is the URL of your Website? :thinking:
Can you share it her eso we could double check?
Make sure the proxy :orange: mode is enabled for your web realted DNS records and you’ve setup and enabled the mentioned features like Always use HTTPS and Automatic HTTPS Rewrites.

Thanks for your help @fritex.

The website is www.federicoguzzardi.com. There is only a static home page, I’m waiting to fix Cloudflare before to publish the original one. I double checked every setting you mentioned and they are all good set up.

I wonder if that error comes up beacuse of the issue of missing a favicon :thinking:

Or, rather due to a Bot Fight Mode / Browser Integrity Check or some other security option being enabled :thinking:

Else, it might be a cached version, somehow of the results shown for some particular future time.

Furthermore, before moving to Cloudflare, was your Website working over HTTPS connection?
May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

On the current homepage there is no tag or code referred to the favicon. That’s strange you got this issue. Could you try again, please?

Yes, on Cloudflare I enabled both of them (Bot Fight Mode / Browser Integrity Check), I thought it could protect me better but maybe I missed some step for configuring it the right way or maybe it’s just making conflicts. In addition on WAF I created a Firewall Rule to block common bot.

Concerning the SSL/TLS I enabled “Full (Strict)” and on the Origin Server I created a certificate and uploaded on my Hosting. I also wrote them about it and their feedback was good so, everything about the certificate seems working properly.

I changed hosting to join Cloudflare because the previous one did not allow me to change their DNS but, I confirm that both before and now it works over HTTPS connection.

Should I disable the Bot Fight Mode and Browser Integrity Check setting?
I purged the cache on Cloudflare as well in order to not have some old version anymore. Maybe it can help for testing it again.

I wonder, what happens once you’ve upload the “favicon.ico” to the “www” or “public_html” directory.
Furthermore, Purge the cache at Cloudflare as it might still cache the “404” error.

Web browser usually checks for this “by default”. No need to specify the line for favicon in HTML, except if it’s like some png and you want it for favicon.

Regarding Bot Fight Mode and Browser Security Check, we can try to disable them both and then see if any difference at all.

I am not sure how exactly and what does the Cloudflare diagnostic tool work in the background :thinking:

Many thanks @fritex for all your support.

Ah, I didn’t know it was an automatic process of browsers.
I uploaded the favicon in many formats, checked on the Dev Tool and it works with no other missing files. I just cleaned the cache on Cloudflare again and disabled both functions: Bot Fight Mode and Browser Security Check.

In addition I tested the DNS but it does not seem to propagate in the right way:

:exploding_head:

Thank you for feedback information.
Great!

I’d suggest you to retry again without using a www prefix, so just naked domain :wink:
Seems ok, but somewhere it might need some more time as it seems.

Now when checking, says like HTTP not redirecting to HTTPS and “The site’s web server responded with a status code that isn’t 200 (OK).”.

May I ask you to check Security → Overview for any recent firewall events being challenged or blocked maybe? :thinking: I wonder if Cloudflare tool might be, in some case …

I think there should be some as far as I’ve tested and got 403 returned using online tool, while HTTP 200 on https both non-www and www, and also HTTP 301 on http www and non-www → redirected to https www as it should be.
So, Cloudflare firewall for sure :wink:

But, as far as I can see and test using curl and dig, including testing in my Web browser, I do get HTTP to HTTPS redirection, therefore there is no issue at all with it.

Everything seems to be fine :+1:

I guess, we could ignore it a bit, or at least Cloudflare Diagnostics Tool might need some improvement.

Otherwise, you could try to ask Cloudflare Support to check this too and confirm if there is anything else to check or configure, otherwise to get feedback why do you get this “warnings” so far.

Thanks @fritex for all the tests you did and for your attention, you are great, really!!

Thanks for the hint, you’re right. By putting the naked domain, it works just fine.

On the WAF I created 3 firewall rules (Block Countries, Block Bot, Block Common Bot) and on the Security Overview I have a lot of blocked events everyday, I guess thanks to the WAF rules.
Do you think there could be something wrong with them?

Do you think I could re-enable the settings Bot Fight Mode and Browser Security Check or I keep them off? In case, is there some other file to connect to my website or they work fine just enabling them on Cloudflare?

You’re right, the Diagnostic Center seems not 100% reliable. I’m new on Cloudflare so, I’m not so expert and I’m getting crazy to make 100% green the Diagnostic Center test. I don’t know if there is some setting which could get conflicts with some other and I really try all my best to understand how to fix it.
I tried to reach the Cloudflare Support but I’ve the Free plan so, I read that not every user can reach it :frowning:

I am really happy to hear you’re using Firewall Rules and other security options available to you so you could levarage bad guys out there and protect your Website as best as it could be! :slight_smile: :+1:

I, hm the wrong … if you experience some issues with your Website or web app like not functioning well, or you get 1020 error and similar, then it should be questioned.

If you’re able, you can share them here and we can double-check those, if interested - just mask the IP or some other relevant private information from the screenshot, in case you’re using them in Firewall Rules due to privacy concern, if so.

But, I’d rather say nothing wrong with them.

That’s a good question.
Sometimes, it catches things which are good for us, catching and blocking WP-Cron sometimes as far as WordPress websites do have it, it runs on a daily and regularly base, therefore uses an old HTTP/1.0 version and no user-agent → which triggers the Bot Fight Mode and it blocks the request.
Simple solution is to add origin host/web server IP to the WAF → Tools → IP Access Rules with the action “allow”, that way it’s bypassed and WordPress website works normally as expected.

In case if interested, may I suggest reading below article from my colleague @jnperamo as it describes some cases and situations where Bot Fight Mode / Super BFM could make some issues and what could we do to make sure we’re good to go while using it:

I’d keep them on. I’d say if you suspect or see you’re getting something weird going on with for example, Googlebot or some other “good bot” from the verified bot list from the link below, write back or create a new topic and someone would see it and help you with it.

I’m happy to hear this! :handshake:
Wish you a warm welcome here at Cloudflare Community Forums :confetti_ball:
I 100% understand you and your worry, therefore a dedicated willingness and effort to make sure you’re using Cloudflare the best way possible and have your Website as fast and as secure as it can be :wink:

Appreciate this :+1:

You could always send e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account describing your issue.
Therefore, if you get autoreply and like “closed”, kindly take a look into it and find a ticket number in it, which then you share it here with us so we could escalate your issue.

First of all I must thank you again for your very detailed answer!

Sure, I can share the Firewall Rules I set but I would prefer via private message so, I can share them all with you. I downloaded the Cloudflare Community Extension but I can not find a way, if it exists, to send you messages :slight_smile: Could you tell me how to do that, please?

Unfortunately I experienced a lot of attacks and someone also copied my website to use it and sell it as a template… So, I need some protections more than a well written .htaccess.

I developed my website without using CMS like WordPress or similar… so, I should not get that block but I would have a look at the link you suggested to me anyway (I would probably have already read it as I was desperately trying to solve the various problems encountered) even if I have the Cloudflare Free plan in which Super Bot Fight Mode (SBFM) is not included. I can only activate Bot Fight Mode and, on Dev Tool, I noticed that sometime it was missing a file called “invisible.js” which I don’t know where could be but I guess it is part of the Bot Fight Mode function which include the JavaScript Detection. Now I’ve checked again and it works fine without that “error”.

Alright, I follow your suggestions and I will turn Bot Fight Mode and Browser Security Check settings on :wink:

Thanks a lot @fritex for your warm welcome, I really appreciate it and I’m very grateful. As I wrote before, I’m trying to protect all my work and thanks to your availability and deep knowledge I’m getting better.

I will write an email to the Support as well, hoping they will give me some feedback on how to get these issues clear.

1 Like

Hey @fritex, how are you?

As you suggested me I wrote an email to the Cloudflare Support but I received the automatic answer from the Bot saying that “Email support is not available for customers on your plan type”.

The Ticket ID is: #2512781
Is that what you wrote me to share or do you need the full URL?

Many many thanks again!

Hey @fritex,

I did not receive any feedback yet from the Cloudflare Support.
Do you know if my ticket was taken into account?

I am still digging through the forums and user suggestions without much success…
Do I have some chances, in your opinion, to get the Diagnostic Center test 100% green?