How to Bypass Cloudflare Country Challenge Captcha on some URLs

Hello.
As of lately, I set up a country challenge captcha in Firewall Rules for certain countries to slow down the ever-increasing bot problem.

It works great, however, I have some image URLs on my server I don’t want the Cloudflare (One more step) reCAPTCHA to show up on for those countries.

I’ll use this as an example:

https://www.example.com/examplefolder/folderstyle/example1.jpg
https://www.example.com/examplefolder/folderstyle/example1.png
https://www.example.com/examplefolder/folderstyle/example2.jpg
https://www.example.com/examplefolder/folderstyle/example3.jpg

Now I want the whole folder “example.com/examplefolder/folderstyle” and it’s contents to bypass the firewall so the reCAPTCHA won’t show up on the images.

I tried to create another Firewall Rule with the Fields
URL Full, URL, URL Path, URL Query String with
example.com/examplefolder/folderstyle*
example.com/examplefolder/folderstyle/*
example.com/examplefolder/folderstyle
example.com/examplefolder/folderstyle/
https://www.example.com/examplefolder/folderstyle/*
https://www.example.com/examplefolder/folderstyle*
www.example.com/examplefolder/folderstyle/*
www.example.com/examplefolder/folderstyle*
https://www.example.com/examplefolder/folderstyle/example1.jpg

It wouldn’t work. The Cloudflare (One more step) reCAPTCHA still showed up.

Then I decided to go into Page rules and created a page rule.
I tried Cache Level “Bypass” / Disable Apps / Browser Integrity Check “Off” / Disable Security / Server Side Excludes “Off”

It still won’t disable that screen on the contents of the folder. I’m not sure what I’m doing wrong. Does anyone have any ideas? Might be some simple I missed?

Post a screenshot of your firewall rule.


Hopfully that helps.

For starters, you better use “is in” than “equals”.

Then, simply add an additional and’ed (not http.request.uri.path contains "/examplefolder/folderstyle") and that should not fire the rule if the request contains that directory path.

In short

(ip.geoip.country in {"LIST OF COUNTRIES"} and not http.request.uri.path contains "/examplefolder/folderstyle")
1 Like

Ok I must be ditsy I get a pile of errors adding it to the end of all this

(ip.geoip.country eq "RU") or (ip.geoip.country eq "PL") or (ip.geoip.country eq "DE") or (ip.geoip.country eq "DK") or (ip.geoip.country eq "FR") or (ip.geoip.country eq "DO") or (ip.geoip.country eq "NG") or (ip.geoip.country eq "IL") or (ip.geoip.country eq "CL") or (ip.geoip.country eq "BE") or (ip.geoip.country eq "SG") or (ip.geoip.country eq "SE") or (ip.geoip.country eq "VN") or (ip.geoip.country eq "CR") or (ip.geoip.country eq "TN") or (ip.geoip.country eq "ES") or (ip.geoip.country eq "KR") or (ip.geoip.country eq "KP") or (ip.geoip.country eq "CZ") or (ip.geoip.country eq "SK") or (ip.geoip.country eq "IT") or (ip.geoip.country eq "AU") or (ip.geoip.country eq "ID") or (ip.geoip.country eq "AT") or (ip.geoip.country eq "MA") or (ip.geoip.country eq "ZA") or (ip.geoip.country eq "TW") or (ip.geoip.country eq "EC") or (ip.geoip.country eq "BR") or (ip.geoip.country eq "NL") or (ip.geoip.country eq "EG") or (ip.geoip.country eq "BG") or (ip.geoip.country eq "IN") or (ip.geoip.country eq "HU") or (ip.geoip.country eq "GB")

You shouldnt add this. You should replace the original expression.

I noticed that after changing everything to “is in”
I’m not blocking, I’m putting up a Captcha

For the last 5 months, I’ve been getting bursts of spambots from all types of countries. What they would do is crawl 20 to 40 pages in a min then stop. I can tell it’s one bot because it will do it from the same country. It would happen maybe 7 times a week.
Then I tried to stop them with Wordfence firewall. Only let so many crawls in a min. Wordfence constantly blocked them. I would block the IP’s and move on.

In Dec I noticed more bot visits from China, Japan, and Hong Kong. On the 29th of Dec I got hit with a bot in Hong Kong that would crawl every page a second from random IP’s so I couldn’t block it. It’s still going from looking at the country Block firewall rule I added.

The majority have stopped now. However, sometimes I get these bot bursts from the US.
So if a country ends up with these bots, I just add the country to the list. Besides the US of course.

Post a screenshot of the new rule.

Yay, it works! Thanks. The images show up without the captcha but the rest of the site has the captcha.
Thank you so much.

I created a new rule for that and it already blocked 1.22K

Alright, then it works as intended.

1 Like

Thank you. You can put this to resolved now. I’m happy :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.