I am using it with the Under Attack mode so all requests pass first by a JS Challenge.
Now, I would like also to show a Captcha (similar to Google Recaptcha for example) on specific pages: /registration for example.
I tried to create a firewall rule with the URI /registration that actions Legacy Captcha . But it is not working for two reasons:
the user can access it directly if he already pass first the JS Challenge, thrown by the Under Attack Mode
when he access directly the URI, he is shown a Cloudflare page different that the JS Challenge, but NO captcha is shown. It seems similar to the JS Challenge (automatically completed).
Are you trying to add a “captcha” to the /registration URL when someone visits it, or rather to have the captcha on the form for the registration on the /registration URL?
I could wrongly understood what you want to achieve, if so I sorry for that.
May I ask what option have you selected from the dropdown menu of the Challenge Passage option at Cloudflare dashboard for your domain name under the Firewall → Settings tab?
Try setting it to the lower - 5 minutes.
What comes to my mind, instead of using Firewall Rule, you could try to use Cloudflare Page Rules
Therefore, create one for yourdomain.com/registration* and pick the Security Level option and select “I am under an attack!”.
Nevertheless, I would also try to configure a Rate Limiting rule for this specific URL, like for example:
if more than 10 requests to this URL from the same IP in a minute or 10 minutes, block it.
Ouch, true, I am sorry to hear you are also experiencing them
I believe my colleague @jnperamo could add a few valuable notes and provide information about this here as far as he is more experienced than me with this kind of “users” (read: bots).
I believe that this is the way the system is currently designed; I don’t think it’s made to support challenges on top of each other; you will have to choose between captcha or js challenge (you would need to disable UAM).
Weird, I haven’t seen this yet.
Those bots are quite problematic; some of the customers I manage sites have similar problems. Captcha isn’t a long-term solution because some browser extensions can solve any captcha presented to them.
Bot management could help; however, we’d be entering the enterprise world where things get very expensive.
Finally, be advised that to force captcha, you will need a paid package.
It was 4 hours. If I change it to 5 mins, it doesn’t really change anything since they are bots using real browsers (ex : js extension).
Yes, after tooling a lot with Cloudflare I also believe that it is the way the system is designed.
Got it. But I also understand that even with a paid package, challenges cannot work on top of each other (eg. js challenge for all the defaults pages, then reCaptcha for registration page).
I also believe that it is not possible to automate the appareance of a Captcha (of type reCaptcha) on a specific page with Cloudflare.
No. I believe that “Managed challenge”/“Captcha Legacy” just shows older version of the “JS Challenge” :
This one is possible, the action is called Legacy Captcha now. You can’t choose your captcha provider though. It would be great if Cloudflare supported multiple Captcha vendors.
It shows whatever the system is better for the type of visitor. You have to trust Cloudflare system “smartness” to deliver the right challenge (JS or Captcha).
The idea is to reduce the friction with legitimate visitors.
Not at first glance. Are you entirely sure no other rule is overriding the captcha? If so, can you make a ticket asking if this is the expected behavior? Let us know the ticket # once you have it.
