Cloudflare DDOS protection breaks client

[snowe2010]

the programming.dev instance is getting hammered by /inbox requests. I'm not sure if it's coming from a mobile client or not, but turning on DDOS protection seems to immediately break the clients, with the error:

Turning down the DDOS protection immediately fixes the issue. Is this resolvable, or is it a consequence of wefwef not being able to complete the javascript check?

[geneccx]

@snowe2010 the /inbox to my understanding are server-to-server requests that are required for federation, so they shouldn't be coming from wefwef.

You might be able to identify the source by inspecting the nginx logs for Lemmy. The User-Agent header by default is configured to have the instance name and version.

Here's an example of my nginx access logs, coming from lemmy.world and beehaw.org:

135.181.143.230 [03/Jul/2023:04:58:28 +0000] "POST /inbox HTTP/1.1" 200 31 "-" "Lemmy/0.18.1-rc.4; +https://lemmy.world"
135.181.143.230 [03/Jul/2023:04:58:37 +0000] "POST /inbox HTTP/1.1" 200 31 "-" "Lemmy/0.18.1-rc.4; +https://lemmy.world"
135.181.143.230 [03/Jul/2023:04:58:39 +0000] "POST /inbox HTTP/1.1" 200 31 "-" "Lemmy/0.18.1-rc.4; +https://lemmy.world"
137.184.145.108 [03/Jul/2023:04:58:45 +0000] "POST /inbox HTTP/1.1" 200 31 "-" "Lemmy/0.18.1-rc.4; +https://beehaw.org"
135.181.143.230 [03/Jul/2023:04:58:46 +0000] "POST /inbox HTTP/1.1" 200 31 "-" "Lemmy/0.18.1-rc.4; +https://lemmy.world"
135.181.143.230 [03/Jul/2023:04:58:49 +0000] "POST /inbox HTTP/1.1" 200 31 "-" "Lemmy/0.18.1-rc.4; +https://lemmy.world"

As for fixing the mobile app...

Since wefwef has a server component that acts as a proxy between the user and the Lemmy instance, you may be able to whitelist wefwef's server IP.

An nslookup of wefwef.app gives the following:

Name:   wefwef.app
Address: 64.227.15.201

So if you were to allow wefwef through in Cloudflare, this should theoretically work.
https://developers.cloudflare.com/ddos-protection/tcp-protection/how-to/add-prefix-allowlist/

[snowe2010]

Dang.. Magic Transit (needed for that) is an enterprise only product.. Let me see what I can do. Thank you for the prompt response!

[huanga]

Why would you need transit for this? Assuming if the above is correct, you should be able to just whitelist the IP in WAF if you need to allow an IP to bypass you WAF: https://developers.cloudflare.com/waf/tools/ip-access-rules/

security > WAF > tools > ip address rules

[snowe2010]

@huanga I guess I don't. I don't know cloudflare very well and searched their documentation to find how to do it but didn't find that. Thank you for the guidance!

[aeharding]

Moving to a discussion.