Jump to content

[Scripting|SOLVED] Cloudflare Firewall -> External requests


You are about to reply to a thread that has been inactive for 61 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Dear developers,

I’m quite new to SL but not to programming, and I need some help. I’m working on a Linden Script and would like to make a request to my self-built API server. I should be able to answer most, if not all, questions related to my setup. If I’m missing something, please let me know, and I will provide that information (if related).

Once my LSL script executes, it needs to authenticate with my server. Unfortunately, Cloudflare is getting in my way (and no, turning it off is not an option 🙂).

I noticed that requests made through the game with my LSL script are actually logged within my Cloudflare firewall. So, I had to make a firewall exception to whitelist Second Life requests, which I did:

(http.user_agent contains "ThePowerOfXXX") or (http.host contains "xxxxxxx.xxx" and http.request.uri.path contains "/api/v1/XXX/qr/")

The actions taken with this rule are that basically all security measures are disabled when the filter matches the request criteria.

However, this doesn’t work when making a request through Second Life. When I make a request, I get the following result:

{
  "action": "managed_challenge",
  "clientASNDescription": "AMAZON-02",
  "clientAsn": "16509",
  "clientCountryName": "US",
  "clientIP": "34.217.0.30",
  "clientRequestHTTPHost": "xxxx.xxx",
  "clientRequestHTTPMethodName": "POST",
  "clientRequestHTTPProtocol": "HTTP/2",
  "clientRequestPath": "/api/v1/xxx/qr/",
  "clientRequestQuery": "",
  "datetime": "2024-04-08T10:06:54Z",
  "rayName": "xxxxxxxx",
  "ruleId": "bot_fight_mode",
  "rulesetId": "",
  "source": "botFight",
  "userAgent": "Second-Life-LSL/2024-03-18.8333615376 (https://secondlife.com) ThePowerOfXXXX/v1.0.0",
  "matchIndex": 0,
  "metadata": [],
  "sampleInterval": 1
}

The action that was taken is noted as (managed_challenge).

Now, let’s start Postman and test a direct call without Second Life.

{
  "action": "skip",
  "clientASNDescription": "TNF-AS",
  "clientAsn": "33915",
  "clientCountryName": "XX",
  "clientIP": "xxxxxxx",
  "clientRequestHTTPHost": "xxxxxxx.xxx",
  "clientRequestHTTPMethodName": "POST",
  "clientRequestHTTPProtocol": "HTTP/1.1",
  "clientRequestPath": "/api/v1/xxx/qr/",
  "clientRequestQuery": "",
  "datetime": "2024-04-08T10:39:32Z",
  "rayName": "xxxxxxxx",
  "ruleId": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
  "rulesetId": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
  "source": "firewallCustom",
  "userAgent": "PostmanRuntime/7.37.3",
  "matchIndex": 0,
  "metadata": [
    {
      "key": "ruleset_version",
      "value": "56"
    },
    {
      "key": "version",
      "value": "10"
    },
    {
      "key": "type",
      "value": "customer"
    },
    {
      "key": "js_detection",
      "value": "MISSING"
    }
  ],
  "sampleInterval": 1
}

The action that was taken is noted as “skip”. So, it seems clear to me that the issue occurs within the Linden script I’m creating.

In my Linden script, I’ve created a method that should be able to call my server.

request_url(string url)
{   // url should start with /
    // Get the username of the user touching the object
    string username = llDetectedName(0);

    // Create a JSON string with the username data
    string payload = llList2Json(JSON_OBJECT, ["username", username]);

    // Set the Content-Type header to "text/plain;charset=utf-8"
    string content_type = "application/x-www-form-urlencoded";
    headers = [
        HTTP_METHOD, "POST",
        HTTP_MIMETYPE, content_type,
        HTTP_USER_AGENT, "ThePowerOfXxxxx/" + appVersion,
        HTTP_CUSTOM_HEADER, "follow_redirects", "1"
    ];

    http_request_id = llHTTPRequest(url, headers, payload);
}

Note: You might notice the content_type variable; I tried all of them to check for different results, but I keep running into Cloudflare protection.

Now, I do know there are various scripts making requests to external servers. Since SL migrated to the cloud, they don’t really have static IPs anymore to whitelist either. Tips are more than welcome; this is my last obstacle, to be fair. Help would be very much appreciated! Thank you so much in advance.

 

Edited by LovenseUser
Link to comment
Share on other sites

5 minutes ago, Qie Niangao said:

Although I too am forced to use CloudFlare it's not for anything SL-related, so this is just a shot in the dark: Have you looked at disabling Bot Fight Mode, perhaps just as a test?

I think my test with Postman led me astray. It seems you are right. When I disable Bot Fight Mode, I actually receive the request on my server! So that’s definitely good news.

However, what I find odd is that I have applied a rule that should bypass Bot Fight Mode.

In my WAF (at the first position), I have the rule:

(http.user_agent contains "ThePowerOfXXX") or (http.host contains "xxxxxxx.xxx" and http.request.uri.path contains "/api/v1/XXX/qr/")

GPpytxY.png

And the strange thing about this is, when I call this endpoint through Postman, this particular rule catches the request and allows it to skip. However, when I make the same request through Second Life, it seems to still be blocked.

Link to comment
Share on other sites

29 minutes ago, Qie Niangao said:

Although I too am forced to use CloudFlare it's not for anything SL-related, so this is just a shot in the dark: Have you looked at disabling Bot Fight Mode, perhaps just as a test?

Actually, reading further, the documentation explains it perfectly. Thank you for putting me on the right tracks.

Limitations

You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules. Skip, Bypass, and Allow actions apply to rules or rulesets running on the Ruleset Engine. While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using Super Bot Fight Mode.

Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP.

  • Like 2
Link to comment
Share on other sites

  • LovenseUser changed the title to [Scripting|SOLVED] Cloudflare Firewall -> External requests
You are about to reply to a thread that has been inactive for 61 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...