Skip to content

fix: set browser User-Agent to bypass Cloudflare WAF 403#55

Open
marceltrindade wants to merge 1 commit into
warwickh:masterfrom
marceltrindade:fix/cloudflare-user-agent
Open

fix: set browser User-Agent to bypass Cloudflare WAF 403#55
marceltrindade wants to merge 1 commit into
warwickh:masterfrom
marceltrindade:fix/cloudflare-user-agent

Conversation

@marceltrindade

Copy link
Copy Markdown

Problem

The Kodi Subsonic addon fails with Connection error / HTTP Error 403: Forbidden when the server is behind Cloudflare or any WAF that blocks the default Python-urllib/3.x User-Agent. This makes the addon completely unusable with any server fronted by Cloudflare.

Root cause

Two issues in lib/libsonic/connection.py:

  1. Module-level install_opener() without insecure context (line 61): A global urllib opener is installed at import time using HTTPSHandlerChain() with no SSL context. When TLS verification fails (e.g. behind a reverse proxy with a non-standard cert chain), the connection silently fails.

  2. Missing browser-like User-Agent (line 2782): The opener built by _getOpener() uses Python urllib's default User-Agent (Python-urllib/3.x), which Cloudflare WAF and similar services block with HTTP 403.

Changes

  • Comment out the module-level install_opener() call — each Connection() already builds its own opener via _getOpener() with the correct insecure context when needed. The global installer was redundant and harmful.

  • Add a browser-like User-Agent to the openerMozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0 is sent as the User-Agent header, which passes Cloudflare WAF without issues.

Testing

Tested against Navidrome v0.62.0 behind Cloudflare on Kodi 21 Omega / LibreELEC 12. With the patch:

  • ping endpoint returns HTTP 200 (was 403)
  • Album listing, search, and playback all work
  • No regressions on direct connections (tested without Cloudflare)

Python-urllib/3.x User-Agent is blocked by Cloudflare WAF and similar
reverse proxies, returning HTTP 403 on every request. This makes the
addon completely unusable on any server behind Cloudflare.

Changes:
- Remove the module-level install_opener() that creates a global opener
  without an insecure TLS context, which could also cause SSL errors.
  Each Connection() already builds its own opener via _getOpener().
- Set a browser-like User-Agent (Firefox 120) in _getOpener() so
  Cloudflare and other WAFs allow the request through.

Fixes: connection fails with 'Connection error' popup and
'HTTP Error 403: Forbidden' in the Kodi log for servers
behind Cloudflare.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant