I use Ezoic, and recently discovered that their list of IPs to be allowlisted had been updated but they don’t have a system in place to tell everyone! You just have to wait until a user reports getting errors, and then figure it out
I added each of their IPs to Security > WAF > Tools > IP Access Rules, but that was a very time consuming pain! It wouldn’t take the full list at once, I had to do add all 26 of them one at a time
Today, I see that under Manage Account > Configurations > Verified Bots I can add a bot.
Would this be a good way to allowlist Ezoic, instead of the IP Access rules?
If so, can you suggest what data to use here? Preferably not their IP list, since that changes without warning.
Or, any other suggestions on how I might permanently allowlist them without having to drop everything to manually allowlist IPs?
May I just ask if you’ve done those changes under the Ezoic’s dashboard?
Otherwise, the changes you’ve made would be reverted back and not applied correctly.
Have you tried reaching out to their Support so they would be able to provide you this information?
Maybe there is a unique user-agent string which they’re using and you could add it via a WAF rule.
I wonder which kind of type of Cloudflare’s security feature or a service is being involved, furthermore and why does the Ezoic get triggered and shown at Security → Events, if so?
What does their bot do? Should be one from the link below:
Except adding each of it individually and manually, we could create and use a list, however if you’d create a WAF rule with bypass or allow the e.g., if User-agent contains ezoic then allow and make sure it’s the 1st rule from the above on the WAF rules list.
I cannot find Ezoic bot on the verified bots list:
However, someone from Ezoic should send a request to add it using the form from below, , if so:
Therefore, it would show up on the list and make things easier for customers in the near future Hopefully someone from Ezoic reads forums related to this and other issues as well to improve things in the meantime.
Definitely a concern! But when I reported the Origin Errors to them, their suggestion was to “reach out to [my] host and ask them to allowlist [their] IP’s”. That felt like a canned reply, though, since they didn’t explicitly say anything about adding them to Cloudflare or my firewall.
Adding them to Cloudflare seems to have solved the issue, though.
I did, but they often take several days to reply. I’ll forget what I’m doing by then, so I was hoping someone might have already gone through this and there might be a common solution
Great question, but I honestly don’t know. The time that I saw it on my end, I saved this data:
I don’t see anything in Security > Events at that exact timestamp, and the ones that are nearby have IPs that are outside of Ezoic’s range.
Great suggestion! When my rep replies, if they have some way of recognizing the bot then I’ll suggest it. They’re a huge company, it’s pretty surprising that something like this isn’t already in place!
Hopefully someone from Ezoic reads 
forums related to this and other issues as well to improve things in the meantime.