Dear developers,
I’m quite new to SL but not to programming, and I need some help. I’m working on a Linden Script and would like to make a request to my self-built API server. I should be able to answer most, if not all, questions related to my setup. If I’m missing something, please let me know, and I will provide that information (if related).
Once my LSL script executes, it needs to authenticate with my server. Unfortunately, Cloudflare is getting in my way (and no, turning it off is not an option 🙂).
I noticed that requests made through the game with my LSL script are actually logged within my Cloudflare firewall. So, I had to make a firewall exception to whitelist Second Life requests, which I did:
(http.user_agent contains "ThePowerOfXXX") or (http.host contains "xxxxxxx.xxx" and http.request.uri.path contains "/api/v1/XXX/qr/")
The actions taken with this rule are that basically all security measures are disabled when the filter matches the request criteria.
However, this doesn’t work when making a request through Second Life. When I make a request, I get the following result:
{
"action": "managed_challenge",
"clientASNDescription": "AMAZON-02",
"clientAsn": "16509",
"clientCountryName": "US",
"clientIP": "34.217.0.30",
"clientRequestHTTPHost": "xxxx.xxx",
"clientRequestHTTPMethodName": "POST",
"clientRequestHTTPProtocol": "HTTP/2",
"clientRequestPath": "/api/v1/xxx/qr/",
"clientRequestQuery": "",
"datetime": "2024-04-08T10:06:54Z",
"rayName": "xxxxxxxx",
"ruleId": "bot_fight_mode",
"rulesetId": "",
"source": "botFight",
"userAgent": "Second-Life-LSL/2024-03-18.8333615376 (https://secondlife.com) ThePowerOfXXXX/v1.0.0",
"matchIndex": 0,
"metadata": [],
"sampleInterval": 1
}
The action that was taken is noted as (managed_challenge).
Now, let’s start Postman and test a direct call without Second Life.
{
"action": "skip",
"clientASNDescription": "TNF-AS",
"clientAsn": "33915",
"clientCountryName": "XX",
"clientIP": "xxxxxxx",
"clientRequestHTTPHost": "xxxxxxx.xxx",
"clientRequestHTTPMethodName": "POST",
"clientRequestHTTPProtocol": "HTTP/1.1",
"clientRequestPath": "/api/v1/xxx/qr/",
"clientRequestQuery": "",
"datetime": "2024-04-08T10:39:32Z",
"rayName": "xxxxxxxx",
"ruleId": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
"rulesetId": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
"source": "firewallCustom",
"userAgent": "PostmanRuntime/7.37.3",
"matchIndex": 0,
"metadata": [
{
"key": "ruleset_version",
"value": "56"
},
{
"key": "version",
"value": "10"
},
{
"key": "type",
"value": "customer"
},
{
"key": "js_detection",
"value": "MISSING"
}
],
"sampleInterval": 1
}
The action that was taken is noted as “skip”. So, it seems clear to me that the issue occurs within the Linden script I’m creating.
In my Linden script, I’ve created a method that should be able to call my server.
request_url(string url)
{ // url should start with /
// Get the username of the user touching the object
string username = llDetectedName(0);
// Create a JSON string with the username data
string payload = llList2Json(JSON_OBJECT, ["username", username]);
// Set the Content-Type header to "text/plain;charset=utf-8"
string content_type = "application/x-www-form-urlencoded";
headers = [
HTTP_METHOD, "POST",
HTTP_MIMETYPE, content_type,
HTTP_USER_AGENT, "ThePowerOfXxxxx/" + appVersion,
HTTP_CUSTOM_HEADER, "follow_redirects", "1"
];
http_request_id = llHTTPRequest(url, headers, payload);
}
Note: You might notice the content_type variable; I tried all of them to check for different results, but I keep running into Cloudflare protection.
Now, I do know there are various scripts making requests to external servers. Since SL migrated to the cloud, they don’t really have static IPs anymore to whitelist either. Tips are more than welcome; this is my last obstacle, to be fair. Help would be very much appreciated! Thank you so much in advance.