JS Challenge doesnt work

Hello,
This problem started recently without me changing anything.
JS Challenges stopped working and i dont know why.
My rules for JS Challenge:

(ip.src ne my.server.ip and ip.geoip.asnum ne 15169 and not ssl) or (cf.threat_score ge 5)

I noticed it helped me a lot fighting bots. ip.src is used so that wordpress cronjobs would pass with wget.
asnum 15169 so that google bots would pass.
not ssl : a lot of bots (bad bots with random queries) go to http and not https, that helped me filter A LOT of them.
cf.threat score is just there for a good measure which helped filter a lot of proxies and vpn`s.
But since today i noticed in my firewall that action taken is UNKNOWN. Why is that ?
If i create a new rule with JUST not ssl rule and then try to access my website with http it gets trough without js challenge yet it logs on cloudflare logs with action taken UNKNOWN.
Cloudflare having issues ?

Hi,

You could try setting your cronjobs using PHP instead of wget, to avoid the Cloudflare firewall altogether. https://stackoverflow.com/questions/12930936/wget-curl-and-php-for-cronjobs

You should use Firewall Rules’ Known-Bots parameter instead. Whitelisting a whole ASN to allow Googlebot may increase your attack surface needlessly.

JS Challenge is working fine in my domain. You should open a ticket with Support, they may be able to troubleshoot the issue. Go to https://dash.cloudflare.com/?account=support and pick Get More Help (last option)
EDIT: I just noticed a few cases of Unknown in a JS Challenge rule since last night and as recently as 14:20pm GMT -3
Perhaps @mdemoura may help clarify what’s happening.

Hey,
Thank you for taking your time and looking into this, thanks for the advice.

As far as cronjob goes i know there are other ways, like using php however that uses 2-3 times more cpu (i tried it) thats why im sticking with wget.

I havent had any problems with asnum 15169 as google seems to use it ONLY for their crawler bots and not for cloud services.
I dont want to use know bots option as that would allow bing (microsoft mixes their bots with their cloud services and there is a flood of attacks comming from them so i just blocked entire microsoft asn, i dont really care about bing).
Yandex makes OVER 100 requests a day to resources that dont exist on my page. Ive seen as many as 5 attempts to the same resource that doesnt exist on the same day... Im sorry but that bot seems to be more like a spam bot rather than a search engine bot… My website has no content for russian audience so i blocked Yandex too.
Mail.ru: why on earth a mailing service needs to index my website ? (blocked it too).

JS Challenges seem to have stopped working at roughly the same time as it did for you. I thought i would not get help here so i contacted Cloudflare support a while ago. Still waiting for the answer.

On the same day SSL started acting up and i was receiving 526 errors with cloudflare page showing up. Havent touched anything on my server. Logged into to cloudflare turned off ssl, turned it back on and now my website is accessible again.
Another weird thing is i tried to coppy JS Challenge firewall rule from one account to my personal cloudflare account. And on my personal account JS Challenge works.
Something weird is happening at cloudflares end.

1 Like

Not arguing here, just curious: did you consider the CPU usage both for the wget execution and HTTP request both ways (including, if applicable, SSL handling)?

Not exactly. For example, check DNS tab here: https://bgp.he.net/net/104.198.128.0/19

You can always set a Firewall Rule to not block Known-Bots (safest method for Google) while setting the same rule to block specific ASNs, like Bing’s, Yandex’s etc.

Definitely arguing here :smile:

If anything, CPU utilisation will decrease because the network is skipped. If it goes up the OP did something else.

Running an HTTP request to execute local code is just bad architecture and that is not going to change :slight_smile:.

1 Like

The thread can be closed, i found a work around for the issue.

I contacted Cloudflare support (over a week ago) and they said they were ABLE to replicate the issue and they raised the question internaly, they will keep me posted.
Today i received the email that support is backed up and if the issue is not resolved i should reply to that automatic email…
In summury cloudflare hasnt fixed the issue nor are they planning to…
Another thing i noticed is that ssl (full strick) isnt working anymore (it was working fine for over a year without any changes on the server).
Thank you guys for the help who posted here, looks like i will have to look for alternatives of cloudflare before it breaks down completely…