Website issuing managed challenges to requests from subdomains

What is the name of the domain?

redacted-for-privacy.com

What is the issue you’re encountering

I’m having a very odd issue. As of about noon yesterday my website has started issuing managed challenges to any requests coming from my subdomains. Everything has been working fine for the past couple of years and I haven’t changed any configuration settings.

What steps have you taken to resolve the issue?

I have a domain - let’s say domain.com, which has its DNS records in Cloudflare. If I access domain.com/api/posts/1 using curl from my local machine, I receive a response as expected. If I SSH in to sub.domain.com and do the same I receive a managed challenge / please enable javascript response. If I remove turn off Cloudflare on sub.domain.com I now receive the response as expected. I get the same issue if accessing the URL from a Cloudflare Worker.

I;ve tried turning temporarily setting the Security setting to Essentially Off (it’s currently set to Low), but it makes no difference. I’ve tried to allowlist access either by domain or by IP address but it has made no difference.

What is the current SSL/TLS setting?

Full

May I ask if you see them under the Security events at Cloudflare dashboard? :thinking:

Could you share a bit more details, like what is the RuleID and Ruleset, also the Source of them? :thinking:

With default or custom HTTP header for user-agent? :thinking:

Could be either Bot Fight Mode:

Otherwise, we could try to give it a go with the Skip rules:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.