Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is your Firefox blocked by Cloudflare in recent weeks? (e.g., Gitlab)
32 points by neilv 7 months ago | hide | past | favorite | 34 comments
In recent weeks, CloudFlare has been blocking my Firefox ESR browser from various sites, with dreaded infinite loops like "Checking your browser before accessing gitlab.com."

This was merely annoying until now, in a "guess I won't be reading that article or trying their site, after all" way, but I can't log in to an actually important site, GitLab.

Even when I disable both uBlock Origin and Firefox "Advanced Tracking Protection", I'm still blocked from GitLab by CloudFlare.

Testing with Chromium (same residential IP address as Firefox) in a "please violate me in every possible way" configuration, CloudFlare doesn't block me from GitLab.

But I really want to use Firefox for GitLab, and my Firefox doesn't have trouble with non-CloudFlare sites. For example, GitHub works fine with my Firefox. (But I'd really prefer to use GitLab, so long as this problem can be resolved and I'm not going to run into problems like this.)

I see a various complaints about CloudFlare blocking GitLab online, with various explanations. Sometimes, the user is blamed for not figuring out how they're not complying with whatever CloudFlare is trying to do (like the user is some divergent citizen, to be denied rights, in some Kafkaesque authoritarian police state).

I suspect that sites don't know when CloudFlare is false-positive blocking legitimate visitors and costing them customers...




This is a growing problem. As far as I'm aware, Cloudflare does not collect or report these type of metrics because if they did, they could be abused.

There is no way to actually know who is or isn't a bot. The methodology for bot detection changes dramatically, isn't published, often isn't well tested, and fails to fully capture turing tests in any meaningful way. Its all about forcing more requirements on the user, where the more unique the user is, the more likely its a user and counting all blocks as a net win. The only problem is it drives surveillance capitalism, and its a flawed assumption.

Maybe you should start an end-user Firefox extension/platform that aggregates where it checks for these, and allows the user to self-report when it fails (or detect and show repeat failures.


All the time. How the hell did the world decide to elect this company gatekeeper of what was supposed to be the world wide web? How did this corporation suddenly assume powers to block what was supposed to be the most open communications medium of all time?

...odd isn't it?


> I see a various complaints about CloudFlare blocking GitLab online, with various explanations. Sometimes, the user is blamed for not figuring out how they're not complying with whatever CloudFlare is trying to do (like the user is some divergent citizen, to be denied rights, in some Kafkaesque authoritarian police state).

You should blame Gitlab too, they configured it.


Since cloudflare was mentioned I figured it was tls fingerprinting and bot detection related. Issue and workaround discussed at https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/...


I can repro this in Chrome too when I have NextDNS as the DNS through our fiber connection. If I for example switch my phone to 4G it will let me through. I haven't dug into it yet as to why, there's nothing in the NextDNS block logs that looks relevant. But interestingly enabling NextDNS over 4G doesn't break it with the same settings.

I did take the rather unprecedented approach to blocking all DNS traffic to anything but our router (because Android was ignoring my DNS settings and using its own... ), breaking my internal dns resolution. Making DNS queries wonder from JS would be new to me... (I didn't think that was possible).

I'll dig more tonight.


So this is interesting. The website that's blocking me is www.internaltemperaturechart.com. I thought there was something wrong with the site until I saw this post.

I can get on gitlab.com and get to their sign in page (which does the Cloudflare check), but it lets me see the login page. I don't have a GitLab account so that's as far as I can go. My own website uses Cloudflare too, so I put the security to "I'm under attack", and tried it. That works too.

I tried in Firefox (with uBlock Origin) and Edge (without). Same results across all three.

From what I can tell, the site that fails only sends and receives to that domain, ruling out a tracking domain I've blocked. It sends out multiple "rays", with what looks like an encrypted payload (and no I'm not reversing the JS, it's heavily obfuscated). There is no response to any of them, the connection is terminated.

On GitLab, which works, one of the rays fails with a 401, but the rest succeed.

Hopefully someone that works at Cloudflare can figure this out for us...


I don't use GitLab but I do use Firefox for almost all my home and work browsing[1] and haven't had this problem with other sites which use cloudflare. I do use both ublock origin and advanced tracking protection always so I'm going to say the problem is with some configuration gitlab is doing rather than with cloudflare.

[1] Exceptions being mobile, if I am specifically testing something and certain work situations where I am currently testing a locked-down web browser called "island"[2] which seems to be a chrome fork which gives Enterprise IT control over a bunch of stuff.

[2] https://www.island.io/


Sorry for going off topic, but what exactly is an "Enterprise Browser"? Does it limit what sites can be accessed, what extensions can be installed if any, and what features are available to used by the websites?

I guess it will provide capabilities to add AD's group policy object like mechanisms to the browser.


Yes. I think in this particular case it gives a central infosec team the ability to allow/deny certain sites, set proxy and other network settings, control which extensions are allowed and do a few other similar things. The point in this scenario is to ensure that where Saas and similar things are used in particularly sensitive applications (think: logging in to a bank portal for a corporate treasury account for instance) the browser environment is tightly controlled and a well-intentioned employee can't accidentally compromise things by using a browser that includes a malicious extension or similar.

I don't think the threat model is it's expected to prevent intentional attacks by a hostile, skilled, priviledged insider put it that way.

I'm not recommending it or anything but so far the browser doesn't seem terrible. It seems to work just like chrome, and I haven't had any problems or noticeable examples of it stopping me from doing anything fwvliw. I'm not trying to circumvent anything or do anything that I'm not actually expected to do as part of my work though so I wouldn't expect problems.


that makes sense, thanks for elaborating


Bit confused by this since Firefox and Chrome already have available GPOs you can apply limiting stuff like this.


I'm sure they do. Island wasn't my idea, just since I've been asked to test it it's literally the only browser I use other than firefox and I was making the point that firefox works fine on cloudflare sites in general so there must be some kind of gitlab-specific problem.


I've stopped visiting couple of sites because of CloudFlare. I keep using old Firefox with no scripts or ocassionally with uMatrix.


> I've stopped visiting couple of sites because of CloudFlare. I keep using old Firefox with no scripts or ocassionally with uMatrix.

Why do you use an out-of-date browser?


Every time I use newer version I'm losing something, context or results of what I do, and earlier or later browser will try to be smarter and behave not as expected, ignore my configurations etc. - morover to extensions which I need not working and removed functionality (no need for most of new fancy stuff - but a bit of it I'm missing). I think I will be stuck at 68esr for a while because of XBL which I like and see useful - then I'm not sure if I can afford that effort of possibly rewriting a lot to avoid surprises and make the browser working *for me* without need to fight him.


BECAUSE Firefox is the most configurable and the most privacy-secured web browser that also gave fork to SilverFox, Tor Browser, LibreWolf, WaterFox, PaleMoon, GNU IceCat, Mull, KMeleon, Dot Browser, Basilisk, MyPal and IceRaven.

Something that Chrome is unwilling to support.


They're asking why you use an outdated version of Firefox, not why you use Firefox.

Edit: I assume you're using it in the "Good 'ole Firefox" sense?


That would be even older Firefox til version 53 to browse ALL file, media, document formats (as well not free - so it's gone) using plugins of your choice..


same as uTorrent version 2.2.1 - the latest complete without bloat


Cloudflare put me in a never-ending loop when trying to access SourceForge from Edge with default settings, on my home network, with no VPN or anything. Maybe because it was my infrequently used laptop that probably doesn’t have all the latest updates yet?

I have no idea what the problem was, but the “verify you’re human” thing never worked. Pretty annoying…


I don't use GitLab that often, but I've never had any issue with it. I'm rarely if ever logged into my account when I stumble there. Latest was yesterday morning.

I'm using latest Firefox on Linux, with advanced tracking protection as well as uBlock Origin and uMatrix for good measure. The latter isn't configured to turn itself off on Gitlab.


>I suspect that sites don't know when CloudFlare is false-positive blocking legitimate visitors and costing them customers

So let them know. Put a value on it too. Then maybe they’ll be more careful in dismissing “false positives” as a business cost (especially for someone like GitLab competing for business).


That's a false trail, no one would trust numbers from a potentially disgruntled customer. There's little credibility that couldn't be shredded by a behemoth.


I get the CF deathloop if any of the options related to Referer are not default.


I've had no issues accessing sites using CloudFlare in Firefox myself.


I use Firefox Developer Edition exclusively and work using GitLab (SaaS) daily. I also have uBlock Origin installed. I have never had an issue.


These days, when I encounter a cloudflare "solve this captcha" page I hit C-w so fast it's probably illegal


its maybe just the site your visiting on that has traffic.

for instance i have noticed the same on the chatgpt page. I have to "verify" a lot which is just another sign for "we are overloaded at the moment"

At least thats how i interpreted it so far. Im using Ferdium which has integrated firefox


I wouldn’t know, for Gitlab disabled my account name of 7 years due to inactivity.


Only old.reddit for some short time, but this was resolved soon


reddit does not use cloudflare


Yes! The worst part about it is the infinite loop of captchas.


Nop, although I'm using librewolf.


Don't support Cloudflare by moving to another platform or just use chrome. There is no point in using firefox for privacy if you have to turn fingerprinting in regardless (that's the workaround).




Applications are open for YC Winter 2024

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: