Warn if Cloudflare is in use

[CobaltCause]

My HS fails to federate with a lot of homeservers that are hosted behind Cloudflare. My HS is hosted on AWS EC2, and so I guess Cloudflare denies requests from our HS because Cloudflare thinks we must be using automation in a harmful way.

As a result, I think it would be good if the federation tester could detect the use of Cloudflare and display a warning about how incoming federation requests from some other homeservers may be blocked by Cloudflare, causing federation with those homeservers to not work.

I think this could probably be implemented by checking for e.g. server: cloudflare or cf-ray: ... in response headers.

[CobaltCause]

In one particular case, an HS operator claimed to not be using Cloudflare, which turned out to be true for the host hosting /_matrix/federation/v1/version, but not the host hosting /.well-known/matrix/server. As such, the federation tester should check the headers of both locations/domain names.

[richvdh]

It is worth noting that matrix.org is behind Cloudflare. I would be interested to know if your server has problems federating with matrix.org, and if so what errors you observe.

[CobaltCause]

I can federate with matrix.org. I suspect it's a difference in Cloudflare configuration, but I've never personally used Cloudflare, so I have no idea.

When I do get blocked by Cloudflare, it usually looks like this:

# curl https://redacted.example.com/.well-known/matrix/server -i
HTTP/2 403
date: Tue, 10 Sep 2024 20:44:16 GMT
content-type: text/html; charset=UTF-8
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: 1/uh5VuEiY5yFwVDJ984VH7lzpH1JvzmgAlPRoodEFLznBV7+uvo+EhNdqmlxyPEHoBsCcD1pNc4syz3uax97/8oHHYGl6F1F6h4YG4FkB4yL+0BL8usA3EDR9Lyi2Hw$liG64RKegKrMILERJtGHng==
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yUZ18T71JocOci9BtZXD53jMVuEvFwVX%2BmScxAE9AMK3Mcle8ws700sqNXq6gz%2FoOYRX7tpajQBCmajTB8qM3nRmL7KBMtEXwVuFRMmqBphgGn1RlYH%2FtkbJwrXEBMpwq6USfWqzRnrEeV0%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8c12414a4ec2c37c-SEA
alt-svc: h3=":443"; ma=86400

[a bunch of html/css/js which I assume will lead to needing to do a captcha]

[richvdh]

I see. Given it's perfectly possible to use Cloudflare without it breaking everything, there's an argument here that warning about it might be a bit like overkill.

That said, I take your point - if people are going to use Cloudflare, they better be careful which options they set. Perhaps we could show some sort of informational note about that in the UI.

[olivia-fl]

I'm not very familiar with cloudflare. Is it possible to detect whether it's configured in the "throw up a challenge page" mode versus the "just proxy and cache things" mode externally?