-
-
Notifications
You must be signed in to change notification settings - Fork 27
-
-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packages.sury.org shouldn't use Cloudflare's Browser Integrity Check #1299
Comments
Just changed the couple of hosts using my internal |
Or that, it isn't really a problem after the Cloudflare cache has taken over most of the load. But thanks for trying to ease the load with a local mirror. This is appreciated, I just cannot construct the firewall rule to distinguish between people downloading the full repository twice a day and people correctly syncing just the changes. |
One more thing: You might wanna firewall the origin to only allow HTTP requests from Cloudflare's reverse proxy network (v4, v6) for the virtualhost Happy holidays. |
Well, that would earn anybody a permanent block with no appeal. And I really hope that people are not intentionally evil. |
Hi all, I was using apt-mirror (https://apt-mirror.github.io) to clone several repositories including packages.sury.org (once a day). It works similar to rsync downloading only new files. |
@czyzo What user agent does apt-mirror use? |
It is perl script that run 'wget'. So the user agent is "wget/version" |
The origin server is now protected by Origin Client Certificate. Use rsync for mirroring. |
hey, we are using aptly to do our repository/package management. it also has the ability to mirror repositories. thank you |
@Woellchen - I can take a look. I blocked all user agents ignoring the Cloudflare cache and going directly to the Origin server generating spikes of bandwidth. Aptly looks (from the glance on the website) as mostly well behaved, so I can try to remove the |
@Woellchen The |
@oerdnj nice! it is working now. thank you very much! |
Hi @oerdnj - We are using approx to proxy apt requests for a lot of servers. Approx caches the packages to reduce traffic, but mostly it's there because the servers don't have direct internet access. Unfortunately approx seems to use curl with useragent User Agent "curl/7.52.1" to download the packages, so it doesn't work anymore. I also don't seem to be able to find a way to change the useragent. Maybe there's a way to register our IP with you? Thank you! |
It is possible to use Change:
To (note, truncated for berivity, don't just copy and paste this line, alter yours instead):
|
Describe the bug
When trying to download files from
packages.sury.org
via apt, approx, wget, curl, ... it fails with403 Forbidden
or404 Not found
becausesury.org
is hosted at Cloudflare and Cloudflare's Browser Integrity Check is enabled forpackages.sury.org
-- which results in intercepted HTTP requests and an HTML page with embedded javascript for the browser to solve being delivered to the client before being redirected to the correct ressource.To Reproduce
wget -S 'https://packages.sury.org/php/pool/main/p/php-defaults/php-common_71+0~20191219.19+debian9~1.gbpefc769_all.deb'
Expected behavior
Download of .deb files etc. should work without forcing users to use a Browser like Google Chrome or Mozilla Firefox.
Additional context
Tried above mentioned
wget
from multiple different IP addresses from completely unrelated networks. Using Cloudflare as a Caching CDN and for DDoS prevention is perfectly fine but a (sub)-Domain used primarily by automated software to download packages from (apt-get
) should disable Cloudflare's Browser Integrity Check.Problem
Possible solution
The text was updated successfully, but these errors were encountered: