I already tried every possible way to fix these errors and currently I have enabled “Always Use HTTPS”, “Automatic HTTPS Rewrites” and I set SSL/TLS on Complete (Strict).
I realized that these errors disappears when I uncheck every the DNS Proxy. Of course, once enabled the proxy again it show the same errors.
Is there a way to solve this issue which seems to be an internal error, made by some misconfiguration, more than anything else?
Thank you in advance for all the help you could give to me.
May I ask what is the URL of your Website?
Can you share it her eso we could double check?
Make sure the proxy mode is enabled for your web realted DNS records and you’ve setup and enabled the mentioned features like Always use HTTPS and Automatic HTTPS Rewrites.
The website is www.federicoguzzardi.com. There is only a static home page, I’m waiting to fix Cloudflare before to publish the original one. I double checked every setting you mentioned and they are all good set up.
I wonder if that error comes up beacuse of the issue of missing a favicon
Or, rather due to a Bot Fight Mode / Browser Integrity Check or some other security option being enabled
Else, it might be a cached version, somehow of the results shown for some particular future time.
Furthermore, before moving to Cloudflare, was your Website working over HTTPS connection?
May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?
On the current homepage there is no tag or code referred to the favicon. That’s strange you got this issue. Could you try again, please?
Yes, on Cloudflare I enabled both of them (Bot Fight Mode / Browser Integrity Check), I thought it could protect me better but maybe I missed some step for configuring it the right way or maybe it’s just making conflicts. In addition on WAF I created a Firewall Rule to block common bot.
Concerning the SSL/TLS I enabled “Full (Strict)” and on the Origin Server I created a certificate and uploaded on my Hosting. I also wrote them about it and their feedback was good so, everything about the certificate seems working properly.
I changed hosting to join Cloudflare because the previous one did not allow me to change their DNS but, I confirm that both before and now it works over HTTPS connection.
Should I disable the Bot Fight Mode and Browser Integrity Check setting?
I purged the cache on Cloudflare as well in order to not have some old version anymore. Maybe it can help for testing it again.
Ah, I didn’t know it was an automatic process of browsers.
I uploaded the favicon in many formats, checked on the Dev Tool and it works with no other missing files. I just cleaned the cache on Cloudflare again and disabled both functions: Bot Fight Mode and Browser Security Check.
In addition I tested the DNS but it does not seem to propagate in the right way:
Now when checking, says like HTTP not redirecting to HTTPS and “The site’s web server responded with a status code that isn’t 200 (OK).”.
May I ask you to check Security → Overview for any recent firewall events being challenged or blocked maybe? I wonder if Cloudflare tool might be, in some case …
I think there should be some as far as I’ve tested and got 403 returned using online tool, while HTTP 200 on https both non-www and www, and also HTTP 301 on http www and non-www → redirected to https www as it should be.
So, Cloudflare firewall for sure
But, as far as I can see and test using curl and dig, including testing in my Web browser, I do get HTTP to HTTPS redirection, therefore there is no issue at all with it.
Everything seems to be fine
I guess, we could ignore it a bit, or at least Cloudflare Diagnostics Tool might need some improvement.
Otherwise, you could try to ask Cloudflare Support to check this too and confirm if there is anything else to check or configure, otherwise to get feedback why do you get this “warnings” so far.
Thanks @fritex for all the tests you did and for your attention, you are great, really!!
Thanks for the hint, you’re right. By putting the naked domain, it works just fine.
On the WAF I created 3 firewall rules (Block Countries, Block Bot, Block Common Bot) and on the Security Overview I have a lot of blocked events everyday, I guess thanks to the WAF rules.
Do you think there could be something wrong with them?
Do you think I could re-enable the settings Bot Fight Mode and Browser Security Check or I keep them off? In case, is there some other file to connect to my website or they work fine just enabling them on Cloudflare?
You’re right, the Diagnostic Center seems not 100% reliable. I’m new on Cloudflare so, I’m not so expert and I’m getting crazy to make 100% green the Diagnostic Center test. I don’t know if there is some setting which could get conflicts with some other and I really try all my best to understand how to fix it.
I tried to reach the Cloudflare Support but I’ve the Free plan so, I read that not every user can reach it
I am really happy to hear you’re using Firewall Rules and other security options available to you so you could levarage bad guys out there and protect your Website as best as it could be!
I, hm the wrong … if you experience some issues with your Website or web app like not functioning well, or you get 1020 error and similar, then it should be questioned.
If you’re able, you can share them here and we can double-check those, if interested - just mask the IP or some other relevant private information from the screenshot, in case you’re using them in Firewall Rules due to privacy concern, if so.
But, I’d rather say nothing wrong with them.
That’s a good question.
Sometimes, it catches things which are good for us, catching and blocking WP-Cron sometimes as far as WordPress websites do have it, it runs on a daily and regularly base, therefore uses an old HTTP/1.0 version and no user-agent → which triggers the Bot Fight Mode and it blocks the request.
Simple solution is to add origin host/web server IP to the WAF → Tools → IP Access Rules with the action “allow”, that way it’s bypassed and WordPress website works normally as expected.
In case if interested, may I suggest reading below article from my colleague @jnperamo as it describes some cases and situations where Bot Fight Mode / Super BFM could make some issues and what could we do to make sure we’re good to go while using it:
I’d keep them on. I’d say if you suspect or see you’re getting something weird going on with for example, Googlebot or some other “good bot” from the verified bot list from the link below, write back or create a new topic and someone would see it and help you with it.
I’m happy to hear this!
Wish you a warm welcome here at Cloudflare Community Forums
I 100% understand you and your worry, therefore a dedicated willingness and effort to make sure you’re using Cloudflare the best way possible and have your Website as fast and as secure as it can be
You could always send e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account describing your issue.
Therefore, if you get autoreply and like “closed”, kindly take a look into it and find a ticket number in it, which then you share it here with us so we could escalate your issue.
First of all I must thank you again for your very detailed answer!
Sure, I can share the Firewall Rules I set but I would prefer via private message so, I can share them all with you. I downloaded the Cloudflare Community Extension but I can not find a way, if it exists, to send you messages Could you tell me how to do that, please?
Unfortunately I experienced a lot of attacks and someone also copied my website to use it and sell it as a template… So, I need some protections more than a well written .htaccess.
Alright, I follow your suggestions and I will turn Bot Fight Mode and Browser Security Check settings on
Thanks a lot @fritex for your warm welcome, I really appreciate it and I’m very grateful. As I wrote before, I’m trying to protect all my work and thanks to your availability and deep knowledge I’m getting better.
I will write an email to the Support as well, hoping they will give me some feedback on how to get these issues clear.