Cloudflare exception

[icedterminal]

Problem

Your domains are proxied through Cloudflare (orange cloud toggle) and you see one or more of your sites as "Down" in the repo README summary.

Details

If "Bot Fight Mode" is ON, you will get a HTTP 403 response.

You can verify your setting state from the Cloudflare Dashboard:

1. Click your domain example.com.
2. Click [Security] in the left sidebar menu.
3. Click [Bots].

It wouldn't make sense to turn this setting OFF and reduce your site security. The actions in this repo use a bot to complete the checks of your sites. This bot is named "Koj Bot."
Cloudflare maintains a list of safe, verified bots that are always allowed. Koj Bot is not on this list and is subject to managed challenges/blocks.

Solution

You can whitelist the Microsoft ASN from which this bot originates from. This is the only method I have found to work. Using a custom WAF Rule to allow this bot by ASN and User Agent does not work.

From the Cloudflare Dashboard:

1. Click your domain example.com.
2. Click [Security] in the left sidebar menu.
3. Click [WAF].
4. Click the [Tools] tab.
5. In the [IP, IP range, country name, or ASN] box, type in: AS8075. Make sure you click the drop down option when it appears!
6. The [Action] should be Allow.
7. The [Zone] can be your entire account or just the website you are viewing.
8. Add a [Note] so you know what it's for.
9. Click [Add]
10. Run your uptime workflow action in a few minutes and check the log.

Comments

I spent about an hour trying various WAF Rules so I wouldn't have to whitelist the ASN. But it just wasn't possible. Cloudflare detects the bot behavior and just stops it.

Related issue #343

[MohamedElashri]

I don't understand why excluding Microsoft ASN would be the problem?
Are you using Azure?

[AnandChowdhary]

IIUC GitHub is owned by Microsoft and uses the same IP address range for hosted runners. :)

[MohamedElashri]

Yes, you are right. GitHub hosted actions are using azure. That makes sense.

[icedterminal]

You see that's precisely the problem. I've seen people use Azure hosting to deploy bad bots, or scanning utilities that look for exploits or holes. Whitelisting the entire ASN allows Koj Bot, the good, while simultaneously allowing the bad which is previously blocked with Cloudflare.

[VideoScape]

looks like this doesnt work anymore you need to disable it or just not use this, the rules don't affect bot fighting anymore.

[icedterminal]

It does. Because I still have it enabled and it works for me. Cloudflare even tells you the order of protection on the right. The ASN source comes before Bots. Thus it gets passed right along. Your rules always come before Cloudflare's rules. If the IP/ASN is allowed, it will be allowed regardless of bot or human traffic.