Have you searched for an answer?
Yes.
Please share your search results url:
https://blog.cloudflare.com/http-ddos-managed-rules/
Describe the issue you are having:
Our site and our site’s images are currently served via Cloudflare (let’s say for argument’s sake the site’s domain is example.com and the images are hosted under images.example.com – both use Cloudflare).
We want to use an external service (like imgix) to perform image processing on these images (let’s say for argument’s sake these are exceedingly large images, so can’t be processed using Cloudflare Images).
Thus the images will be served via images.external-service.com while users will continue to access example.com.
However: Cloudflare is currently serving response challenges to the external service.
What is the correct way to prevent these response challenges?
The external service can’t forward them to the user, since these are image assets loaded via an <img> tag, so currently the images simply break, and there’s no recourse for the user to perform a challenge. (Even if they could, performing 2x challenges would be pretty bad, i.e. one for example.com and another for the images.)
AFAIK we also can’t forward Cloudflare’s session cookie to the external service as it’s on a different domain.
What error message or number are you receiving?
403 (challenge response)
What steps have you taken to resolve the issue?
We’ve configured a Cloudflare rule to use “Essentially Off” protection based on the user agent (the external service uses a specific user agent).
However: the docs (linked above) state you should only use “Essentially Off” if “one of your legacy HTTP applications is violating protocol standards”… which implies there’s a better / preferred way of doing this?
If so, what would that be?
