Skip to main content

CAPTCHA Services

CAPTCHA services like Cloudflare, reCAPTCHA, and hCaptcha can interfere with the Uptime Monitor’s ability to check your websites. These services are designed to block automated traffic, which is exactly what the monitoring system uses to verify your site’s availability.

Whitelisting Monitor IP Addresses

To ensure accurate monitoring while maintaining protection against malicious bots, you need to whitelist the Uptime Monitor’s IP addresses in your CAPTCHA service configuration.

Cloudflare

Cloudflare uses various protection mechanisms that can block monitoring services:
  1. Access Cloudflare Dashboard:
    • Log in to your Cloudflare account
    • Select the domain you’re monitoring
  2. Configure IP Access Rules:
    • Navigate to Security > WAF > Tools
    • Scroll down to “IP Access Rules”
    • Click “Create IP Access Rule”
  3. Add Uptime Monitor IPs:
    • Enter the Uptime Monitor IP address(es) provided below
    • Set the action to “Allow”
    • Add a note like “Uptime Monitor” for future reference
    • Save the rule
  4. Configure Bot Fight Mode (if enabled):
    • Navigate to Security > Settings
    • Find “Bot Fight Mode”
    • Either disable it or ensure IP access rules take precedence
  5. Configure Challenge Passage:
    • Navigate to Security > Settings
    • Set a reasonable “Challenge Passage” duration (e.g., 7 days)

Google reCAPTCHA

For websites using reCAPTCHA:
  1. Access reCAPTCHA Admin Console:
  2. Adjust Settings:
    • Under “Advanced Settings” look for IP allowlisting options
    • Add the Uptime Monitor IP addresses
    • Save your changes

hCaptcha

For websites using hCaptcha:
  1. Access hCaptcha Dashboard:
    • Log in to your hCaptcha account
    • Select your site configuration
  2. Configure Allowlist:
    • Navigate to Settings > Advanced
    • Find the IP allowlist section
    • Add the Uptime Monitor IP addresses
    • Save your changes

Uptime Monitor IP Addresses to Whitelist

Below are the IP addresses used by the Uptime Monitor service. Add these to your CAPTCHA service allowlist: 
203.0.113.1
203.0.113.2
203.0.113.3
203.0.113.4
Note: These IP addresses may change periodically. Check the application’s settings page for the most up-to-date list of IP addresses to whitelist.

Alternative Monitoring Methods

If you cannot whitelist IP addresses for any reason, consider these alternatives:
  1. Custom HTTP Headers:
    • Configure your web server to bypass CAPTCHA for specific HTTP headers
    • Set up your Uptime Monitor to include these headers in requests
    • This requires custom server configuration
  2. Specific Monitoring Endpoints:
    • Create a dedicated health check endpoint (e.g., /health or /ping)
    • Configure CAPTCHA services to ignore these specific paths
    • Set up your Uptime Monitor to check these endpoints
  3. API-Based Monitoring:
    • If your application has an API, monitor API endpoints instead of web pages
    • API endpoints are often exempt from CAPTCHA protection

Testing CAPTCHA Configuration

After configuring your CAPTCHA service:
  1. Navigate to your Uptime Monitor dashboard
  2. Select the affected monitor
  3. Click “Perform Manual Check”
  4. Verify that the check succeeds without CAPTCHA interference
If the test fails, check your CAPTCHA service logs to identify why the request was blocked and adjust your configuration accordingly.

CDN Integration

Content Delivery Networks can also affect monitoring due to caching and geographic distribution.

Configuring CDN Monitoring

When monitoring websites behind a CDN:
  1. Monitor Multiple Regions:
    • Configure the Uptime Monitor to check from multiple geographic regions
    • This ensures you’re testing the CDN’s global performance
  2. Cache-Busting Parameters:
    • Add a unique query parameter to avoid cached results
    • Example: ?monitor_check=timestamp
  3. Origin Monitoring:
    • Consider monitoring both the CDN endpoint and the origin server directly
    • This helps identify whether issues are with the origin or the CDN

Web Application Firewalls (WAF)

Many websites use WAFs like Cloudflare, AWS WAF, or ModSecurity that can block monitoring.

Configuring WAF Integration

  1. Review WAF Rules:
    • Identify rules that might block automated monitoring
    • Modify or disable overly aggressive rules
  2. Whitelist Monitor Traffic:
    • Add rule exclusions for Uptime Monitor IP addresses
    • Create specific conditions to allow monitoring traffic
  3. Rate Limiting Considerations:
    • Ensure rate limiting rules don’t block frequent monitoring
    • Adjust request rate limits to accommodate your monitoring interval

Authentication Integration

For monitoring authenticated areas of your application:
  1. Token-Based Authentication:
    • Configure the Uptime Monitor with the appropriate authentication tokens
    • Set up a dedicated monitoring user with limited permissions
    • Ensure tokens are refreshed before expiry
  2. Form-Based Authentication:
    • Create a monitor that performs the login sequence
    • Store cookies/session data between checks
    • Configure appropriate security for credential storage

API Gateways

When monitoring APIs behind API gateways like AWS API Gateway, Kong, or Apigee:
  1. API Keys:
    • Create a dedicated API key for monitoring
    • Configure the monitor to include this key in requests
    • Set appropriate rate limits for the monitoring key
  2. OAuth Integration:
    • Configure the Uptime Monitor to obtain and refresh OAuth tokens
    • Create a dedicated OAuth client for monitoring purposes
    • Set up proper scopes for monitoring access

Troubleshooting Integration Issues

  1. 403 Forbidden:
    • CAPTCHA service is blocking the request
    • Verify IP allowlisting is correctly configured
    • Check for additional bot protection measures
  2. Challenge Pages:
    • Monitor receives a CAPTCHA challenge instead of the actual page
    • Look for challenge signatures in the response body
    • Adjust CAPTCHA sensitivity or allowlisting
  3. Delayed Response Times:
    • CAPTCHA services may slow down responses for suspicious traffic
    • Check response headers for CAPTCHA-related information
    • Adjust security level settings if possible

General Integration Troubleshooting

  1. Check Request Logs:
    • Review server logs during monitoring checks
    • Look for patterns in blocked requests
    • Identify specific security rules triggering blocks
  2. Simulate Monitor Requests:
    • Use tools like cURL to simulate monitoring requests
    • Test with and without specific headers or parameters
    • Compare behaviors to identify blocking factors
  3. Temporary Disabling:
    • Temporarily disable protection services to verify they’re causing the issue
    • Re-enable with more permissive settings
    • Gradually increase security until an optimal balance is found