After spending hours trying to figure out why I wasn’t able to re-link my Home Assistant app to my Google Home, after looking at the error logs on Google Cloud Console, I figure the root cause was Cloudflare’s Bot Fight Mode, that I at some point turned on. This was sending a challenge after the authentication that was breaking the authentication flow.
Google is apparently recognized as a bot. After disabling the Bot Fight Mode, I was finally able to link Home Assistant and Google Assistant.
I’ve been trying to troubleshoot this for almost 24 hours when my Assistant started giving errors around 7am yesterday. This was my issue too, thank you for posting. Almost did a full re-setup too!
Not sure why this started for me yesterday as well. I did not change anything in Cloudflare and it has been working without any issues. That being said bot fight was turned on. Not sure if it was by me or not but I know I didn’t change anything in Cloudflare yesterday. I tried re-creating the google link without success. Disabling bot fight restored google home link immediately and as a result saved my sanity and possibly my marriage. So thank you for posting and sharing with the rest of us. Really appreciate it.
Thank you for this. Is it safe to turn on Bot Fight Mode after synching? Does anyone know if it is possible to set some rules to exclude this traffic for the Bot Fight Mode with a free plan in Cloudflare?
Had the same problem for the past few days, I have other WAF rules. One specific to allow google auth. In theory you can tell the WAF to skip the bot fighting, but this seems to have stoped working
" You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules. Skip, Bypass, and Allow actions apply to rules or rulesets running on the Ruleset Engine. While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using Super Bot Fight Mode.
Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP."
I will take a look at creating an IP access rule with google ASN, this should be enough to bypass the bot protection
For anyone having this problem I can confirm that you can have bot protection enabled and filter google with a IP Rule. The dowside of this is that any google bot will be able to query you, but as cloudflare is flagging the auth request as a bot. Is a working workaround
This seems like a bad idea. I’m not sure how you have the rest of your security configured but per cloudflare.
Allowing an IP, ASN, or country will bypass any configured custom rules, rate limiting rules, and firewall rules (deprecated).
You are basically letting anything in from any of the google IPs without any further restriction. I’d much rather disable bot mode and keep a more limiting rule.
To allow google in I have a separate subdomain just for voice control where I block everything that isn’t the following
An IP in the list below
66.249.80.0/20
108.177.0.0/17
192.178.0.0/15
66.102.0.0/20
74.125.0.0/16
Google’s ASN: 15169
URI Path contains one of the following
/api/google_assistant
/auth/token
Cloudflare’s rule expression builder doesn’t let you make this logic normally so you have to click edit expression to put the rule in.
not ((http.request.uri.path contains "/api/google_assistant" or http.request.uri.path eq "/auth/token") and ip.geoip.asnum eq 15169 and ip.src in { 66.249.80.0/20 108.177.0.0/17 192.178.0.0/15 66.102.0.0/20 74.125.0.0/16}) and (http.host eq "voice-control.example.com")
I’m not sure what I’m doing wrong but I cannot make google assistant to sync my devices after using CF. Let me try to explain what I did just in case someone smarter than me can guide me:
I have a couple of subdomains for exposing HA. One of them with mTLS enabled that works correctly just for the Android apps and another one that I want to protect via CF to allow just me and my wife accessing it (via google auth) as well as google assistant integration.
The tunnel works correctly but I cannot figure out the policies.
The current policies I have to protect the “non mTLS” subdomain look like:
Name = Google IP bypass
Action = Bypass
Group = Google Assistant IPs (based on the comments here) marked as “Include”
The other one:
Name = me & my wife
Action = Allow
Include → Selector = email, Value = my email and my wife’s
The application settings look like:
Subdomain & domain properly set
Authentication = Manually selected Google and “Instant auth” checked
HTTP Only toggle activated on the settings/cookies settings page.
I can see on the google actions logs that the request to “sync my devices” is denied like:
{"@type":"type.googleapis.com/google.identity.accountlinking.type.AccountLinkingError", "errorReason":"Failed validating the response: Invalid JSON response: <!DOCTYPE html>
<html>
<head>
<title>Sign in ・ Cloudflare Access</title>
...
