Known issue: BotWire behind Cloudflare (or any reverse proxy) — widget errors & rate limiter misfires #21
Closed
adamy
announced in
Announcements
Replies: 1 comment
-
|
Fixed issued in 0.2 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
What is happening
If you deploy BotWire on shared hosting (SmarterASP, site4now, or similar) behind Cloudflare, you may see:
We have identified the root causes and a fix is coming in the next release.
Root cause 1 — Stale session token after restart
BotWire stores session tokens in process memory (
InMemoryConversationStore). When the app pool recycles (shared hosting does this frequently, and any deployment triggers it), all session tokens are lost.The widget stores its token in
sessionStorageand keeps sending it. The server can no longer find the session and returns400 Invalid session token. The widget currently treats any 400 as a generic error and shows "Something went wrong".Workaround now: Ask users to refresh the page (clears
sessionStorage).Fix in next version (Phase 1.5): The widget will detect a
400 InvalidSessionresponse, automatically clear the stale token, create a new session, and resend the message — invisible to the user.Root cause 2 — IP rate limiter sees Cloudflare edge IPs
BotWire's built-in IP rate limiter reads
HttpContext.Connection.RemoteIpAddress. Behind Cloudflare (or any reverse proxy), this is the proxy's IP, not the real visitor IP. All your visitors share a handful of Cloudflare edge IPs, so the rate limiter trips almost immediately.Workaround now: Add the following to your
Program.cs:If you are on Cloudflare specifically, you can also read the
CF-Connecting-IPheader directly (Cloudflare sets this to the real visitor IP).Fix in next version: Documentation will include a dedicated reverse-proxy deployment section.
Other Cloudflare gotchas
/support/*endpoints, breaking SSE streaming/support/*data-cfasync="false"to the widget<script>tagTimeline
The session self-healing fix is scoped for Phase 1.5 (next minor release after 0.1.0). The reverse-proxy documentation will ship with it.
If you are hitting either issue now and need more detail, reply below.
Beta Was this translation helpful? Give feedback.
All reactions