If you’re using Cloudflare in front of the content, running hotlink protection at the origin is not going to work correctly.
Hotlink protection is based on the HTTP “referer” request header typically, and this is not included in the cache key when Cloudflare caches your content. This means that the first request to your resource will be cached and all subsequent requests to the same URL will get the same cached response. In practice this means some people will be blocked incorrectly, and others will be allowed incorrectly.
The right approach here would be to disable the hotlinking logic at your origin and enable Cloudflare’s hotlinking feature, or use the more flexible Firewall rules feature to define your own logic on Cloudflare.
I haven’t enabled hotlinking feature, I have a rules in the firewall that block determinated referers and works fine blocking the images.
My question is about the first load of an image, when it isn’t still cached by Cloudflare and need to be load from the original server, that request is also blocked by the firewall?
For your response I deduce that I have to disable the rules set in the .htacces in the origin server and only keep rules in firewall of Cloudflare, haven’t I?
If when you say “firewall” you mean Cloudflare’s firewall, those rules will run on each & every request made to your website on Cloudflare, regardless of whether the response is in our cache or not.
Correct - running the logic on Cloudflare’s edge and removing the logic at the origin is the right way to have things working.