Cloudflare Bot Fight Mode blocking my domain from Flipboard
I have a Medium publication that uses a custom domain name. It’s just a simple redirect. But the domain is hosted by Cloudflare. In the past I could easily share a story from Medium to Flipboard, and I still can from any of the native Medium publications. Just not from the custom one.
I was told by Flipboard that: “Couldflare recently made some changes that resulted in Flipboard being blocked in Cloudflare’s Bot Fight Mode. However, this has been fixed now. Please allowlist these two user agents: “Flipboard” and “FlipboardProxy” and these two proxy IP addresses: 23.23.178.171 and 23.23.178.169.”
I am a creative, not a tech person. I know nothing. But I did some research and figured out where WAF was under Security. I created a custom rule listing “Flipboard” and “FlipboardProxy” as user agents, and the two IP addresses: 23.23.178.171 and 23.23.178.169. I chose SKIP as the action.
Still blocked.
I see that “Flipboard” doesn’t appear to be the desired format for a user agent value. It appears to be something closer to “Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/0.0.5; +http://flipboard.com/browserproxy)”
Tried that as well. Nothing.
I also tried going back to just “Flipboard” and “FlipboardProxy” and making the value CONTAINS.
I’m certain this is all stupid and I have one thing missing or wrong.
Please help.
32 Replies
Are you on a Paid Plan?
No. A free plan. Forgot to say that. Also, the domain is ABitDodgy.uk is that’s needed.
On the paid plans, you have access to Super Bot Fight Mode. Regular Bot Fight Mode does not abide by any rules you set, it is either on or off
I would recommend disabling BFM, and instead building some more tailored firewall rules if necessary
Oddly, it appears mine isn’t even on. Unless I’m misunderstanding that as well.
Yeah, that's weird. Can you trigger a request from Flipboard, then check your logs?
I'm curious what else could be blocking it
IDK. I’m so ignorant. If I look at the logs, it would appear there’s been zero traffic for the last 30 days. But these stories are being read. Everything else seems to work fine. It’s worked for over a year and suddenly stopped.
When I contacted Flipboard, I was told this. Then when I asked follow up questions they told me they’d done all they could do and to contact Medium. Nice.
To confirm, do you see anything here? https://dash.cloudflare.com/?to=/:account/:zone/security/analytics
When I go to that link, I go to the main dashboard. If I look at logs, lots of traffic. I have three domains on there. But for the one in question, if I check its logs, nothing.
Weird...
Sigh.
The domain seems to work fine. It just can’t be shared to Flipboard. I don’t want to pay $20/month just for that. I could just use Medium and forgo the custom domain, but that sucks.
I’m sure I screwed something up somewhere. It’s like reading stereo instructions in gibberish.
Do you have log requests on for your Skip Custom Rule? You're going out further to like 24 hours with Security Events, right? and still not seeing anything?
errr, under DNS -> Records, do you even have the record with the name
ABitdodgy.uk proxied?I have log requests enabled. Looked at 30 days.
I barely know what the means, but I can look.
Under DNS -> Records of the website, you should have a record which looks something like this:
Should say either "Proxied" or "DNS-Only" is the bit of information I'm looking for
cool so none of your CF config even applies
Medium uses Cloudflare though, for their custom domains as well
How do you know they're being blocked btw? Does it show the exact error/code/headers on their end, or just something more vague?
Much more vague. Hold on.
“David Todd McCarty” is the name of my Flipboard Magazine. Normally. It would say, successfully flipped.
If you look above, you’ll see the message I got from a Flipboard admin saying it was a Cloudflare issue.
which url is that? I know nothing about Medium, but it looks like all your stories are flagged as "Members Only"?
ABitDodgy.uk
right but I meant which specific blog post/exact url
was trying to repro from curl to see what response I'd get
They are, but that’s never been an issue in the past
Medium
The Value Of Doing One Thing Really Well
In a world where we are constantly overwhelmed by choice, it’s nice to come across someone who specializes in a single thing
When I sent a non-browser request, like with the user agent you gave, I get just a redirect to their login page looks like
I'd assume that's scraping protection, maybe due to it being a non-member story
I can share any other Medium story because none of my other pubs have custom domains.
I'm not sure of the full integration here, but I'd guess that's closer to the root of your issue. If Medium lets you bypass for specific IPs or something then probably related.
Your cloudflare configuration has nothing to do with this though, you don't have proxy enabled, so none of your settings apply. Medium itself does use Cloudflare though, but it'd be an issue on their end/their config
They’re all Member only reads. But you can still see the intro and I include a friend link at the top.
Ok. So check with Medium?
Yes. As a basic rule: Unless you use the Cloudflare proxy (orange DNS entries), you use Cloudflare only as a fancy manger for your DNS records/nameserver, nothing more. Cloudflare cannot control what happens with HTTP requests then.
Ok. Thanks everyone. Appreciate the effort.