I have my website hosted at a free webhost. mybb.com website seems to be using cloudflare and when my forum check for updates or do file verification, cloudflare is returning a captcha to mybb instead of the file with the update data. Obviously mybb isn't going to umm look at the captcha, read the image and insert the text on it's own. So if possible, I need mybb administrators to add my website's ip address to trusted list on their cloudflare account.
http://community.mybb.com/attachment.php?aid=30455 in this image, look at the 'cf.challenge' part. That means clouldflare sent my website a captcha challenge instead of the contents of the remote checksum file or the updates file.
host mybb.com
mybb.com has address 141.101.126.93
mybb.com has address 141.101.125.93
Those are cloudflare IP addresses.
Or maybe mybb unban my webhost from their couldflare account? It seems silly that a forum software bans a IP address from a free webhost...
(2013-11-13, 06:11 AM)hussam Wrote: [ -> ]free webhost...
That is probably the primary reason it is blocked through cloudflare, being free they are very easy to use to run DDoS attacks and whatnot
Your IP is not blocked. I face the captcha sometimes, it's usually if cloudflare thinks your message is dodgy.
(2013-11-13, 07:53 AM)Cameron:D Wrote: [ -> ] (2013-11-13, 06:11 AM)hussam Wrote: [ -> ]free webhost...
That is probably the primary reason it is blocked through cloudflare, being free they are very easy to use to run DDoS attacks and whatnot
Not necessarily. I used a free webhost a while back, could run file verification and update checking through that. Though it was a respectable one -- EmpireHostings, before they closed.
Oh, not all free hosts are going to be blocked, but it is more likely that they will be blocked than a paid host because of the ease of abuse.
just a note: referred issue is a major problem for using file verification tool on MyBB forum
not sure if the checksums text file can be used locally to run the file verification
With all due respect to mybb developers, administrators, and staff, I don't feel it is fair that even unintentionally, a certain user's functionality is slightly crippled unless that user's host doesn't meet the 'requirements to install this software'.
But I understand cloudflare reduces the spam a lot.
How about tom k.'s suggestion of checksums.mybb.com and update.mybb.com that bypass cloudflare?
Btw, I started using cloudflare myself and it sends the server ip instead my cloudflare IP when checking for updates or doing a checksum. can this be somehow changed? it would solve my problem.
(2013-11-13, 08:26 AM).m. Wrote: [ -> ]just a note: referred issue is a major problem for using file verification tool on MyBB forum
not sure if the checksums text file can be used locally to run the file verification
That would be entirely pointless. The idea of file verification is to provide an unbiased view of the content of MyBB files. If it was run from a local file, a hacker could simply change the content of a file and then it's relevant hash and go undetected.
(2013-11-14, 09:56 AM)hussam Wrote: [ -> ]With all due respect to mybb developers, administrators, and staff, I don't feel it is fair that even unintentionally, a certain user's functionality is slightly crippled unless that user's host doesn't meet the 'requirements to install this software'.
But I understand cloudflare reduces the spam a lot.
How about tom k.'s suggestion of checksums.mybb.com and update.mybb.com that bypass cloudflare?
Btw, I started using cloudflare myself and it sends the server ip instead my cloudflare IP when checking for updates or doing a checksum. can this be somehow changed? it would solve my problem.
Regarding sending your IP instead of your cloud flare IP, that is how networking works.
When your server requests the checksums file the following happens:
> Your server (or the hosts) looks up MyBBs IP - and sees MyBBs Cloudflare IP
> The request of yours goes to cloud flare.
> Cloudflare transforms the IP to its own, to ensure the response routes back through cloudflare
> The request heads out to its target, but because MyBB and your site both use Cloudflare it'll likely just be routed through cloudflare and never actually hit and internet backbone.
Cloudflare, when the request is attempting to get to MyBB's server must make a decision on whether the request is safe and legitimate. I'm not sure why cloud flare might block your request but perhaps the headers aren't complete? For a normal user this is fine because they simply have to put in a captcha.
(2013-11-14, 11:00 AM)Tom K. Wrote: [ -> ]a hacker could simply change the content of a file and then it's relevant hash and go undetected.
If they have access to change the file that contains the checksums then they have enough access to be able to change the URL that it downloads the checksum file from anyway.
I'm not saying that that grabbing the checksums from the MyBB site is a bad (Although using HTTPS would be a very good idea), just that if you're compromised to the point of being able to edit files then there is more than one way to be able to achieve the outcome.