this post was submitted on 16 Sep 2025
64 points (100.0% liked)

fediverse

573 readers
1 users here now

A community to talk about the Fediverse and all it’s related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

This is not the place to gossip about other instances.

What is the fediverse?

Guide to the fediverse

Explore the fediverse

founded 2 years ago
MODERATORS
PorkrollPosadist@hexbear.net
jack@hexbear.net
64
Cloudflare is a threat to federation (hexbear.net)
submitted 3 days ago by buckykat@hexbear.net to c/fediverse@hexbear.net
25 comments fedilink hide all child comments
 

Posts from users on instances that use Cloudflare do not work correctly. The images in these posts do not load because Cloudflare deliberately blocks them from loading unless the post is viewed on the instance of the user who posted, not the instance of the community the post is in or the instance of the user browsing.

For example, this recent post in c/games. Clicking the thumbnail to expand the image results in a broken image, as shown:

Clicking the rainbow federation "show context" link to open the page on the user's home instance of lemmy.zip gives this Cloudflare page claiming to verify that I'm human (actually just harassing me for using a VPN as everyone should at all times):

Only after passing which do I get the post on lemmy.zip, where the image opens without further trouble:

Now, in order to vote or comment on the post, I'd have to go back to the original, broken page on my own instance.

To be clear, this is nothing against the post I'm using as an example or the user who posted it, but against that user's home instance's use of Cloudflare.

you are viewing a single comment's thread
view the rest of the comments
[–] Edie@hexbear.net 3 points 3 days ago (1 children)

This behaviour is happening because hexbear uses the image proxy

That actually doesn't seem to be the case

[–] Demigodrick@lemmy.zip 2 points 3 days ago* (last edited 3 days ago) (2 children)

One of the images from the OP that they were challenged on is: https://hexbear.net/api/v3/image_proxy?url=https%3A%2F%2Flemmy.zip%2Fpictrs%2Fimage%2F9925d030-56d3-464b-95bf-8f59dd591496.webp

ETA: If Hexbear wasn't using the proxy, then the user would be served the image from hexbear itself and therefore our cloudflare challenge would never kick in, because the user would never visit lemmy.zip and it would all be handled server side, which isn't happening in this case.

[–] buckykat@hexbear.net 3 points 3 days ago

So you don't have a way to differentiate between image requests coming from a federated instance's proxying and a scraper?

[–] Edie@hexbear.net 2 points 3 days ago (1 children)

If I add lemmy.zip to my local domain blacklist I get the broken image.

[–] Demigodrick@lemmy.zip 2 points 3 days ago (2 children)

Yes, thats because Hexbear is proxying the image from lemmy.zip, not serving it via hexbear.

We do the same at lemmy.zip, it's good practice, but you are then interacting directly with lemmy.zip to get our images, hence why it breaks if you block lemmy.zip

[–] db0@lemmy.dbzer0.com 5 points 3 days ago* (last edited 3 days ago)

That's the opposite of proxying. Proxy would mean hexbear servers fetches the images on behalf of their user therefore "proxying" the request. This is direct or hot linking.

[–] Edie@hexbear.net 2 points 3 days ago

So in what way do you mean "proxying" when my browser directly connects to lemmy.zip to fetch an image from lemmy.zip when I expand the image on the hexbear post https://hexbear.net/post/6158265