My server return 403 error when it executes bugnote_add.php.
When I use my system without CF protection MantisBT works correctly.

Based on this, it would seem that Cloudflare refusing to serve the request, returning the 403 (access denied) error. Could it be caused by the security rules you put in place to protect your site ? A CORS issue ? Or is the 403 triggered by your web server and Cloudflare is just passing it along ?

Bugnote submission with attachments are handled by the dropzone.js library as an AJAX (XHR). You need to analyze this request (e.g. using your browser's developers tool) to determine what is going on and why Cloudflare is not returning the expected 302 that sends you back to view.php after processing the request.

I would suggest to contact Cloudflare's support. I can't reproduce the problem, as I don't use this platform, so I'm afraid there is not much more I can do to help.

Hi.
The 403 error is caused by my web server, but only through the CF connection.
I'm trying to contact CF support.

Can you compare the requests

• browser -> web server (i.e. without cloudflare)
• (browser ->) clouflare -> web server

and see if anything is changed/added/removed from the headers by cloudflare, that could explain the difference in behavior ?

Having a detailed request might help in reproducing the problem, and understand what is happening on MantisBT side.

I had to create a CF access rule for bugnote_add.php script and skip some WAF rules. Thank you for suggestions.

cloudflare-rule.jpg (92,386 bytes)   

cloudflare-rule.jpg (92,386 bytes)   

Thanks for the feedback, glad to hear you found a solution to your problem. I'll resolve the issue then.

Did you figure out what Cloudflare was doing to the request prior to implementing the exception ?

I don't know why Cloud Flare used "Managed Challenge" for this script. I just configured an exception for it.

cf.jpg (29,700 bytes)   

cf.jpg (29,700 bytes)