Amend FAQ: Possible 403 (Forbidden) when using Cloudflare (and possibly other CDN's)

[m-scha1337]

Hi!

I just tried getting AutotuneWeb to run with my Heroku hosted Nightscout but for some reason i constantly got "403 (Forbidden)" and AutotuneWeb wouldn't be able to grab the profile from the Nightscout API.
After a while of troubleshooting, i actually noticed that cloudflare, which i am routing my web based Nightscout traffic through, seemed to log unusually many 'Bot fight mode' firewall events. It looks like cloudflare's firewall (specifically the 'Bots' module under "Security" -> "Bots" to be exact) rejects all of AutotuneWeb's requests towards the Nightscout API, therefore causing the 403.

Now, I am aware this is not an issue with AutotuneWeb in and of itself. If anyone is to blame, it is me for using cloudflare CDN and failing to recognize it as the culprit. But i hereby suggest extending the FAQ by mentioning the possibility of "Foul play" by intermediate services like cloudflare's bot protection. Especially because I never explicitly told cloudflare to block requests from AutotuneWeb. It just automatically classified the request as coming from a bad bot, therefore being fraudulent.

This may or may not also apply to other CDN's, I'm not sure.

[KittDoesntCode]

For troubleshooting these events, visit Security -> Events. You'll see a source IP (I won't like it here) being caught by "Bot fight mode"

If your trust that IP (temporarily or permanently), you can add a bypass rule. Go to Security -> WAF -> Tools. Add an IP Access Rule by putting in the IP address, Action = Allow, Zone = This Website, and click the "Add" button. The AutotuneWeb site won't be blocked any longer.

[m-scha1337]

Changes to Bot fight mode now prevent admins from creating a bypass rule, as documented here:

You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules.

https://developers.cloudflare.com/bots/get-started/bot-fight-mode/#limitations

 

The only workaround i have found so far (after haphazardly skimming through settings and the docs for 2 minutes, so this is by no means the definitive solution), is to temporarily disable Bot fight mode.
Personally, i do seem to receive lots of bot traffic, which is why i want to stress the temporary nature of this workaround and i do recommend that Bot fight mode be enabled again, as soon as AutotuneWeb has done its thing.