Posts from users on instances that use Cloudflare do not work correctly. The images in these posts do not load because Cloudflare deliberately blocks them from loading unless the post is viewed on the instance of the user who posted, not the instance of the community the post is in or the instance of the user browsing.
For example, this recent post in c/games. Clicking the thumbnail to expand the image results in a broken image, as shown:
Clicking the rainbow federation “show context” link to open the page on the user’s home instance of lemmy.zip gives this Cloudflare page claiming to verify that I’m human (actually just harassing me for using a VPN as everyone should at all times):
Only after passing which do I get the post on lemmy.zip, where the image opens without further trouble:
Now, in order to vote or comment on the post, I’d have to go back to the original, broken page on my own instance.
To be clear, this is nothing against the post I’m using as an example or the user who posted it, but against that user’s home instance’s use of Cloudflare.
OP is likely using a VPN on which the ASN is part of our challenge rules following waves of scraping attacks from those ASNs.
Not only are those scrapes stealing our user’s data and ignoring the do not scrape instructions, they are so overwhelming as to have taken the site offline previously.
It’s not a misconfiguration, rather a deliberate challenge to prevent scrape activity reoccurring.
Federation works fine between hexbear and .zip and likely does for most users. This behaviour is happening because hexbear uses the image proxy (which is good) and so isn’t serving you the images directly, which is why the user is hitting up against .zips’ challenges.
We monitor the solve rate on the challenges to make sure we’re not catching too many real people in the challenges and effectively preventing the scrapes - as of right now, in the last 24 hours alone we’ve prevented almost 400,000 scrape connections with only 21 solves (i.e. real people). I fully appreciate its annoying, but we’re not running on a meta/twitter/Google budget over here! We have to take steps to protect the site as a whole.
If we weren’t doing this with cloudflare, we’d be doing the exact same thing with anubis or outright blocking those ASNs entirely.
@buckykat@hexbear.net FYI.
I see. Well, thanks for the clarification!
That actually doesn’t seem to be the case
One of the images from the OP that they were challenged on is: https://hexbear.net/api/v3/image_proxy?url=https%3A%2F%2Flemmy.zip%2Fpictrs%2Fimage%2F9925d030-56d3-464b-95bf-8f59dd591496.webp
ETA: If Hexbear wasn’t using the proxy, then the user would be served the image from hexbear itself and therefore our cloudflare challenge would never kick in, because the user would never visit lemmy.zip and it would all be handled server side, which isn’t happening in this case.
So you don’t have a way to differentiate between image requests coming from a federated instance’s proxying and a scraper?
If I add lemmy.zip to my local domain blacklist I get the broken image.
Yes, thats because Hexbear is proxying the image from lemmy.zip, not serving it via hexbear.
We do the same at lemmy.zip, it’s good practice, but you are then interacting directly with lemmy.zip to get our images, hence why it breaks if you block lemmy.zip
That’s the opposite of proxying. Proxy would mean hexbear servers fetches the images on behalf of their user therefore “proxying” the request. This is direct or hot linking.
So in what way do you mean “proxying” when my browser directly connects to lemmy.zip to fetch an image from lemmy.zip when I expand the image on the hexbear post https://hexbear.net/post/6158265
I stated in my OP that I’m using a VPN, as everyone always should.
You’re getting too many NordVPN ads - try SponsorBlock.
I use sponsorblock. Everyone should always be using VPNs partly because everyone should always be pirating, but also because it’s one more layer of making browsing habits difficult to monetize. The only ads that are still getting through all my layers of adblocking are podcast ads, and they’re getting through in languages I don’t even speak because they think I’m on the other side of the world.
My bad then, I overlooked the detail about the VPN in the OP.