Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Meta
Re: Cloudflare inhibits downloads from bitcointalk.org
by
BenOnceAgain
on 04/03/2018, 17:04:40 UTC
Quote from: nullius on March 04, 2018, 03:14:59 PM
Quoting from another thread:

Quote from: theymos on March 01, 2018, 11:37:16 AM
Here you go: https://bitcointalk.org/merit.txt.xz

Similar to trust.txt.xz, it'll be updated weekly. It will show only the last 120 days of data; someone else should archive the old ones if you want them.

Through Tor—and this is not the first time I’ve had this problem:

Code:
$ wget -S https://bitcointalk.org/merit.txt.xz
--2018-03-04 14:59:20--  https://bitcointalk.org/merit.txt.xz
Resolving bitcointalk.org (bitcointalk.org)... 104.20.208.69
Connecting to bitcointalk.org (bitcointalk.org)|104.20.208.69|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 403 Forbidden
  Date: Sun, 04 Mar 2018 14:59:41 GMT
  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked
  Connection: close
  Set-Cookie: __cfduid=d96a5721469bb369ae9866953b833f0d91520175581; expires=Mon, 04-Mar-19 14:59:41 GMT; path=/; domain=.bitcointalk.org; HttpOnly; Secure
  CF-Chl-Bypass: 1
  Cache-Control: max-age=2
  Expires: Sun, 04 Mar 2018 14:59:43 GMT
  X-Frame-Options: SAMEORIGIN
  Strict-Transport-Security: max-age=2592000
  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
  Server: cloudflare
  CF-RAY: 3f65354a2c56729b-AMS
2018-03-04 14:59:23 ERROR 403: Forbidden.

I have had the same problem with PGP keys and the trust database.  Even right-clicking to save images from within a browsing session oft (inconsistently) results in a Cloudflare 403 HTML file, apparently due to some weird quirks in how Tor Browser interacts with Cloudflare’s control-freakiness.

I request a workaround or solution for this general problem.  (Note: “VPN” is a non-answer.)

For the downloads problem, if the downloads do not require you to be logged in, accessing the BCT server by its direct IP address and/or a DNS record that resolves to the IP should make it accessible, provided BCT hasn't blacklisted all non-CF IPs.

For the website issue, how about 2FA, that could help the situation?  As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.

You could also make a login URL that is not routed through CF.  I don't know how much hacking of SMF it would take to implement that.  Actually, cloudflare might have a way to direct certain URLs to directly point to the backend (BCT) servers.  I haven't messed with them in a while, since before they started doing their shared SSL service, so I'm not positive about this.

On the other hand, this might not address the problem that putting in a CDN was designed to prevent.  If the DDOS attacks were directed to the login URL it would then be vulnerable again.

I have an inherent distrust of infrastructure services that I don't control, which is why I try to avoid CDNs.  However, I have no website with as much traffic as BCT, so have never had to deal with that situation.

Best regards,
Ben