this post was submitted on 16 Sep 2025
64 points (100.0% liked)

fediverse

573 readers
1 users here now

A community to talk about the Fediverse and all it’s related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

This is not the place to gossip about other instances.

What is the fediverse?

Guide to the fediverse

Explore the fediverse

founded 2 years ago
MODERATORS
PorkrollPosadist@hexbear.net
jack@hexbear.net
64
Cloudflare is a threat to federation (hexbear.net)
submitted 4 days ago by buckykat@hexbear.net to c/fediverse@hexbear.net
25 comments fedilink hide all child comments
 

Posts from users on instances that use Cloudflare do not work correctly. The images in these posts do not load because Cloudflare deliberately blocks them from loading unless the post is viewed on the instance of the user who posted, not the instance of the community the post is in or the instance of the user browsing.

For example, this recent post in c/games. Clicking the thumbnail to expand the image results in a broken image, as shown:

Clicking the rainbow federation "show context" link to open the page on the user's home instance of lemmy.zip gives this Cloudflare page claiming to verify that I'm human (actually just harassing me for using a VPN as everyone should at all times):

Only after passing which do I get the post on lemmy.zip, where the image opens without further trouble:

Now, in order to vote or comment on the post, I'd have to go back to the original, broken page on my own instance.

To be clear, this is nothing against the post I'm using as an example or the user who posted it, but against that user's home instance's use of Cloudflare.

top 25 comments
sorted by: hot top controversial new old
[–] PorkrollPosadist@hexbear.net 43 points 4 days ago (3 children)

Who's fucking genius idea was it anyway to just let this company MITM half of the Internet's TLS traffic?

[–] ScoffingLizard@lemmy.dbzer0.com 26 points 4 days ago (1 children)

Goddamned bots fucking up everything they touch is the problem.

[–] TankieTanuki@hexbear.net 11 points 4 days ago

Fuckin' clankers! maddened

[–] TankieTanuki@hexbear.net 14 points 4 days ago

I momentarily considered using their CDN for TankieTube and I'm glad I didn't

[–] ScoffingLizard@lemmy.dbzer0.com 22 points 4 days ago

I am so sick of Cloudflare's bullshit. It will probably never go away. First a password, now multifactor authentication with my phone and email, now I have to wait and click a box or hold some button down and the shit still doesn't work.

[–] BigWeed@hexbear.net 17 points 4 days ago

Cloudflare makes the internet unusable, I hate them. They demand you use the top browsers so they can sell your traffic and then they double dip to sell the internet to AI companies so they don't have to scrape. The only advantage as far as I can tell is that they also host most streaming piracy.

[–] DefinitelyNotAPhone@hexbear.net 13 points 4 days ago (1 children)

This is a setting within Cloudflare to do origin verification. Pretty much any CDN will have the same option, it's entirely an issue with how that instance has their settings configured.

[–] TankieTanuki@hexbear.net 9 points 4 days ago (1 children)

@Demigodrick@lemmy.zip, @v4ld1z@lemmy.zip, @Sami@lemmy.zip, @gazby@lemmy.zip,

Could you please reconfigure your CDN to allow federation to work properly?

[–] Demigodrick@lemmy.zip 13 points 4 days ago (4 children)

OP is likely using a VPN on which the ASN is part of our challenge rules following waves of scraping attacks from those ASNs.

Not only are those scrapes stealing our user's data and ignoring the do not scrape instructions, they are so overwhelming as to have taken the site offline previously.

It's not a misconfiguration, rather a deliberate challenge to prevent scrape activity reoccurring.

Federation works fine between hexbear and .zip and likely does for most users. This behaviour is happening because hexbear uses the image proxy (which is good) and so isn't serving you the images directly, which is why the user is hitting up against .zips' challenges.

We monitor the solve rate on the challenges to make sure we're not catching too many real people in the challenges and effectively preventing the scrapes - as of right now, in the last 24 hours alone we've prevented almost 400,000 scrape connections with only 21 solves (i.e. real people). I fully appreciate its annoying, but we're not running on a meta/twitter/Google budget over here! We have to take steps to protect the site as a whole.

If we weren't doing this with cloudflare, we'd be doing the exact same thing with anubis or outright blocking those ASNs entirely.

@buckykat@hexbear.net FYI.

[–] DefinitelyNotAPhone@hexbear.net 3 points 3 days ago

My bad then, I overlooked the detail about the VPN in the OP.

[–] TankieTanuki@hexbear.net 5 points 4 days ago

I see. Well, thanks for the clarification!

[–] Edie@hexbear.net 3 points 3 days ago (1 children)

This behaviour is happening because hexbear uses the image proxy

That actually doesn't seem to be the case

[–] Demigodrick@lemmy.zip 2 points 3 days ago* (last edited 3 days ago) (2 children)

One of the images from the OP that they were challenged on is: https://hexbear.net/api/v3/image_proxy?url=https%3A%2F%2Flemmy.zip%2Fpictrs%2Fimage%2F9925d030-56d3-464b-95bf-8f59dd591496.webp

ETA: If Hexbear wasn't using the proxy, then the user would be served the image from hexbear itself and therefore our cloudflare challenge would never kick in, because the user would never visit lemmy.zip and it would all be handled server side, which isn't happening in this case.

[–] buckykat@hexbear.net 3 points 3 days ago

So you don't have a way to differentiate between image requests coming from a federated instance's proxying and a scraper?

[–] Edie@hexbear.net 2 points 3 days ago (1 children)

If I add lemmy.zip to my local domain blacklist I get the broken image.

[–] Demigodrick@lemmy.zip 2 points 3 days ago (2 children)

Yes, thats because Hexbear is proxying the image from lemmy.zip, not serving it via hexbear.

We do the same at lemmy.zip, it's good practice, but you are then interacting directly with lemmy.zip to get our images, hence why it breaks if you block lemmy.zip

[–] db0@lemmy.dbzer0.com 5 points 3 days ago* (last edited 3 days ago)

That's the opposite of proxying. Proxy would mean hexbear servers fetches the images on behalf of their user therefore "proxying" the request. This is direct or hot linking.

[–] Edie@hexbear.net 2 points 3 days ago

So in what way do you mean "proxying" when my browser directly connects to lemmy.zip to fetch an image from lemmy.zip when I expand the image on the hexbear post https://hexbear.net/post/6158265

[–] buckykat@hexbear.net 3 points 4 days ago (1 children)

I stated in my OP that I'm using a VPN, as everyone always should.

[–] gazby@lemmy.zip 3 points 3 days ago (1 children)

You're getting too many NordVPN ads - try SponsorBlock.

[–] buckykat@hexbear.net 3 points 3 days ago* (last edited 3 days ago)

I use sponsorblock. Everyone should always be using VPNs partly because everyone should always be pirating, but also because it's one more layer of making browsing habits difficult to monetize. The only ads that are still getting through all my layers of adblocking are podcast ads, and they're getting through in languages I don't even speak because they think I'm on the other side of the world.

[–] peeonyou@hexbear.net 14 points 4 days ago

cloudflare needs to be ended.. big time

[–] poster596@hexbear.net 5 points 3 days ago (1 children)

My conspiracy theory for a long time has been that they are likely responsible for funding a huge amount of ddos attacks. Nobody else profits from those.

[–] mx_oceanwater_they_them@hexbear.net 2 points 2 days ago

This is a dark evil theory.