Why is a WAF Allowlisted IP still seeing JS Challenge?

Hi all, posting this here as we can’t seem to figure out what is going on in this case and hoping someone might know something that can help.

In short, what should have been an easy allowlisting of an IP (RSS Reader/Server) to access a site is not working. We’ve done two updates to the WAF and the RSS Reader in question is still being served a 403 due to we believe a Cloudlfere JS Challenge (even with the IP being allowlisted, though maybe we’re doing something wrong?).

Step one we created a Custom Rule under Security > WAF

Selecting SKIP and checking all the boxes below (also checked the ones that can be expanded).

We then also Added an IP Access rule under Security > WAF > Other. Not sure this was needed or if we did this first, that the custom rule would not be needed (unclear to be if they just overlapp or would both be required). In either case, added there like this.

See next post, was not able to include two

Unfortunately and a testiment to us not understanding how to CF configure correctly (at least presumed) the RSS Reader is getting an 403 Error. Upon doing a CURL request from the server console, we see the following… which seems to to be CF JS Challenge unless I’m misstaken.

<!DOCTYPE html>
<html lang="en-US">
<head>
    <title>Just a moment...</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=Edge">
    <meta name="robots" content="noindex,nofollow">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <link href="/cdn-cgi/styles/challenges.css" rel="stylesheet">


</head>
<body class="no-js">
    <div class="main-wrapper" role="main">
    <div class="main-content">
        <noscript>
            <div id="challenge-error-title">
                <div class="h2">
                    <span class="icon-wrapper">
                        <div class="heading-icon warning-icon"></div>
                    </span>
                    <span id="challenge-error-text">
                        Enable JavaScript and cookies to continue
                    </span>
                </div>
            </div>
        </noscript>
        <div id="trk_jschal_js" style="display:none;background-image:url('/cdn-cgi/images/trace/managed/nojs/transparent.gif?ray=7b72b73d4c34dc41')"></div>
        <form id="challenge-form" action="/feed/?__cf_chl_f_tk=Jb7yTLw4ShwajNPXdsOLv7h1bmRBKeWJCUaSMJcBpKw-1681378493-0-gaNycGzNCiU" method="POST" enctype="application/x-www-form-urlencoded">
            <input type="hidden" name="md" value="pXrBfu8ZW_7EyfrzSpa3QcIKpfo.VTqg6k9xS6coD3Q-1681378493-0-AYcLQ-byKjgwxNbkwaBM2anu3wEnnpEGlreg171Ytjysn_f_ynbmn8LjQzPWswRPak2m_rAah5FaesUzBuvfJ9h0YAsxP5E8rtRFVAA0xkSv1pYYn-8oQLXX9iz_qWez795IfS52xM9JV317vlhMalWbIXcbrRa60f7JiF-kvIux4JyyyrpUReI6wcd1rJO1ZtYOIDLh_Ba34rr70rjx2T251lCILCY1CJ3I0QQz6UkVrBYOxXRO6iJidC2a3kggJDfaJY6myyj5CuLBv_5YJV4lGynhyUPu454iCRXf4GDIhm-_rx6BZlaM9hBOJMwdu4S_ATsqFoJ9H8rCj0eQf5WUgdDNNPNy38P0DunQuXKWA2dblMUrSrmVhQ0LTNCFhkvJcQtDNDOlwATMdmKy3CVHKMAWvpPHQRiCsedA4ovsoesfxQWJ7hCEdM_KFN86akO6PoTHvGcry-vay0WxmciehlF5zZWOvSpf2B-qv5xfxBKNmbd2eVSYe33siOXG3xGpP5J63Pvg8u18_EZXPvku2IbEuukMinE7euBpi3TPPnYBSNJoUWI2zWJ2aFmgYOoM0MA8rtsye7XTlA-jk-SFWUixXw2KbjquTYzL7kax1wb_AryUFru6MCamBnPBU4tDRHk0iJCMc4MEDJVQZjzyr06M_yK-EYALQD_kd7ysyBZHeW7EO3DfPaqRTg2YLe_G6l0eHUr5OgXCUcAHXpKBHd4FDnU7VO6TgB6TegzCfiXQyI8XdPxm2ECqIEYgUK9-OQI7wRKoTWWTCFeSgUT61966OnBPeXMu7diStd1CGVK75MuH1ObLzhzL98TZbPH5EBQtSA_3SBHGk0giZ0uqz2X7eYHlZMAjnFoUkn0pRroDvznyKAs7lPiQAx17VkCcOeOL7kpWpfMstSp2RfLJQ4taQgOsu5cyJK8kmF0W8VwEhj5x-rmSsPkTJvrp_1Du4ohlUEbHO4iE-BF-tKq7-s28dvNJC3KIk2QCrYyRyq_nGoyvU9i-_1TMR-xrYXnVur5xd5juqLBzNLlWxz-hPtr_1bCpiv3rSi26kz3mHddRS325y819hlFyvMQsg828J5WD-2UtR9otgbxQ544wdkbOM2RvHB2B9Kw5QWDjgr0MQoW0QCpzr6iucKHplWJ43RpJOHsZhCWSDBZBxoSyC6Mw1Vge5TxYY3CfX5KShP1GXLUh6iDWOV89dxEM6buE3wV79IlmQX_s6psrzBLgfJYSeaLmjjUHyw0HVFhE9LqLI_VVRfWXSlQFm0ofkOu-UqJUg5waGEujxDsmOlEOQIn0MUxYU9qz6uZYG9I2HCEgCO7f4iAJe_t0CBB10WCFD3Uz2Fx8j68GC9bMUTfwDnTdDTySWPDEOh7uPoZTzkE7JNl_96jz8mPWZCW1NJsdyH5662abVklO0js_Lqe5aLl8lL3nFAyJImBRO4kX-X94P8_e8QtUON4GRqY8jowpFdTPtN_x4v60lmFxXTWF1KS3MF9z_chG46-DRkgDEfrPWfl4AyR0v2jyMqvWp8rcoGfw0A1qoGHSnQuhYPmKpPtYzxP22vncX4RYf5KUr2E1KRRXiPQSAPFTxg-U3MExp-V9LatITNKKvHGcG0yYmKbjouhMV5zmk7Gji9UxUsnoUEgyAeTBfWbnMbxTSeeyA-pGhc5yKlH7sG3loeQRxEPsUn83t7HWm6EvlaaAZ1AfvI52ttA9G09e-TuYgL0vubRG3xU20mBGKoAcQuEj3F2P_o-HZhXBD60xpxWa63mZ7SDs4iG0MXa-jOwK8RKJCDqeXe7mVJKd0sU_tNkqFXF9onM6wOdr8p5AzJaw-qpOBGmuzwVuxuX6Rj_mnCsFTPpYk9-4HylOaBWqLBXGKP3800SHe4obzn4lVy2fxpxMzhAYaLc-axrcH80lMpNz_iRyGguxzLbVEdWVrlzK2Jgs9BkLG6H0f42o3-vLrNXZKDL-sKkF4vhl20Q3nQbdU7nusgR9rtpdnzw0OtBBzR8XCdPtY63OHAZHYwcMXQ0jCGSpVj5UW0LEGz90Z_HPVD8os2nd-6-2sKHUhu1mxe2BL9LM35fcTJdB-t1Oiyfl-kodC_MC3qiMdynVGa2ISOb2n7r1kVS4Hemyg5sim0OiXBIiLGyBUttHZOM-A-Dsp2rJvWY6g0XOuzqgVuLvMjhCq9D4kuk2SoNlAa2DkL6AAljJHWiNrY4qqLkDnfB6nGw5m60RZRtQu58EAfrU66mDQgiSGhW1Dxgz93lOH5wF-QIrnQyQsXnd0fcS8HG52JMohvXaQV5XXC8xePoXckvqlt6NcIAkqH9jnp_CPPBHeB9ya3J8MvrURdx6NeDX2jSXLWzOLVs2hXCysnINxknT8iJbZkJdqjnk4vkaXS-vL4aFtjLsBbmeBSBZjfhErZmzOa1r8nyN8taketZoJC8IlKYXzJwOO53T6W6S_PS0U20pQjSaus-WLQH-joqtB962iRT7-6oyn79hRWEA4ysSvtkhFF3oGO6cKT5QNGbcNN6jW5PfQWdBnczX">
        </form>
    </div>
</div>
<script>
    (function(){
        window._cf_chl_opt={
            cvId: '2',
            cZone: 'vrgamecritic.com',
            cType: 'managed',
            cNounce: '65703',
            cRay: '7b72b73d4c34dc41',
            cHash: '1caadc8d578fc23',
            cUPMDTk: "\/feed\/?__cf_chl_tk=Jb7yTLw4ShwajNPXdsOLv7h1bmRBKeWJCUaSMJcBpKw-1681378493-0-gaNycGzNCiU",
            cFPWv: 'g',
            cTTimeMs: '1000',
            cMTimeMs: '0',
            cTplV: 5,
            cTplB: 'cf',
            cK: "",
            cRq: {
                ru: 'aHR0cHM6Ly9wbGF5c2Vuc2UubmwvZmVlZC8=',
                ra: 'Y3VybC83LjU4LjA=',
                rm: 'R0VU',
                d: 'uQKyLxgVWfr80B3KH6gW709SkLOjZdOhC6rvL/DaLAGTYl5DEVxPZcOTwiGf43LgGMx+zxqw3v6HZDSXfWgemttsGK0SBVEt03mJtANXqmyefUhHGOnWILsDr6aOZWUCcQxL/JGAJ9WBUBAsmv6RF4pG8wCNfgPoAFJJ+I3DAGv6rAJ5m0Fh4nDO/7Udr2m8Usud+PRe6tIjcj/TfZ1UfJycn5AEf0aXbQWhKl41bdpSY+hqKqhdUZgefikmaUo1E8NgCWZkc4zMiyn7GtdQzW2N19JdAmgLsJjMBGFaQMrzQjaiOF+Slt9GlCaLC2lR0XrmiVJQtnYsfQPIljtgNgUjRAksuHEYJclICMcdA4q3Q1W4I4wN7op5DZ+HWIkQXigZfi5DhixHTloGYtLw8o8EedqP6NWUEGla9xRm9DVIVKBcqQc3zVYxSS2HWmv1kpAd56t2mHKmjCfW8KEltRIWGlaxiIBhF+zgjRBkLBc69MN6r/42IHi70t1/5jZeMuHWm/FVi/Co755UdGai/OXyoC0GSjkCVwdfvmnQ+MYX0bUK6vMBRAsNY9d0Jw29p/XA6ryPPWa8w/z8CmZQgw==',
                t: 'MTY4MTM3ODQ5My4wMDUwMDA=',
                m: 'RubI2GjIakyT2LPudt8HkwDxsAMUZFLwagPi2FglN5g=',
                i1: 'auHyRcoPhjnxr90xuR8EWQ==',
                i2: 'Kvh3G8BhWmVfK6c+gJSZ1w==',
                zh: 'W2EAMTBhg5okSQxUf1T0p5OnQ0UdzY2n9XDj3mVa4W0=',
                uh: '3eCW9wmHFxRdeO8XVCuzIxmX/hZFk4VAcqHhoWaSI4Q=',
                hh: 'r6Wkva9VZGbJNCAwV7wiMgqAvwdcy5GCNSSz9bqGT74=',
            }
        };
        var trkjs = document.createElement('img');
        trkjs.setAttribute('src', '/cdn-cgi/images/trace/managed/js/transparent.gif?ray=7b72b73d4c34dc41');
        trkjs.setAttribute('alt', '');
        trkjs.setAttribute('style', 'display: none');
        document.body.appendChild(trkjs);
        var cpo = document.createElement('script');
        cpo.src = '/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=7b72b73d4c34dc41';
        window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;
        window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;
        if (window.history && window.history.replaceState) {
            var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;
            history.replaceState(null, null, "\/feed\/?__cf_chl_rt_tk=Jb7yTLw4ShwajNPXdsOLv7h1bmRBKeWJCUaSMJcBpKw-1681378493-0-gaNycGzNCiU" + window._cf_chl_opt.cOgUHash);
            cpo.onload = function() {
                history.replaceState(null, null, ogU);
            };
        }
        document.getElementsByTagName('head')[0].appendChild(cpo);
    }());
</script>


</body>
</html>

What are we doing wrong, why is the client still being served a Challenge when allowlisted?

Chris

And here’s what we did under Security > WAF > Tools for reference:

Do you have Super Bot Fight Mode enabled?

https://developers.cloudflare.com/bots/troubleshooting/#what-should-i-do-if-i-am-getting-false-positives-caused-by-bot-fight-mode-bfm-or-super-bot-fight-mode-sbfm

I don’t think so, but will double check. That said, don’t the below quote from the link/oage provided say that it would be inactive/disabled in the case of IP Access Rules existing (as posted above we have added the server IPv4/6 to the Other tab (IP Access Rule)?

SBFM can be bypassed with IP access “Allow” action rules. BFM will be disabled if there are any IP access rules present.

You’re right. I totally overlooked that second post.

Next step would be to look at Firewall Events for RayID 7b72b73d4c34dc41

Hopefully it has some entries that would point you to the culprit.

1 Like

at first glance everything seems fine. what does the rayid show?

I suspect it might be one of those managed rulesets that can’t be disabled but, If that’s not it, its probably a bug.