logoChat01.ai

pq o cloudflare bloqueia meu request: curl 'https:...

Tạo vào: 18 tháng 8, 2025

Trả lời bằng GPT-5 Thinking bởi Chat01

Câu hỏi

pq o cloudflare bloqueia meu request: curl 'https://lmarena.ai/api/stream/create-evaluation'
-H 'accept: /'
-H 'accept-language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7'
-H 'content-type: text/plain;charset=UTF-8'
-b '_ga=GA1.1.909869449.1755264001; __client_uat=0; __clerk_db_jwt=dvb_31KEMbfYX1Btcuyu2SmWj5diS6R; _ga_N6MCLSNCLZ=GS2.1.s1755264349o1o1g1t1755266147t1755266147j60l0l0h0; __cf_bm=zKViMODT80VSRc6yPWOil8YjrTYQGIb9_INO8tZD9lo-1755515926-1.0.1.1-g7.jQJBg5BNVfeDwksJLNytOCvzlCDJkaXTXplqOzu_oAhjcWPhmqs40d22Q8U6TT_hYZvk8tcY2ZimgXLk8WvADEufrSDgMqWaxq9O1QeM; arena-auth-prod-v1=base64-eyJhY2Nlc3NfdG9rZW4iOiJleUpoYkdjaU9pSklVekkxTmlJc0ltdHBaQ0k2SWtOVFQwNHhkM05uU0hkRlNFTkNNbGNpTENKMGVYQWlPaUpLVjFRaWZRLmV5SnBjM01pT2lKb2RIUndjem92TDJoMWIyZDZiMlZ4ZW1OeVpIWnJkM1IyYjJScExuTjFjR0ZpWVhObExtTnZMMkYxZEdndmRqRWlMQ0p6ZFdJaU9pSTJOVGM1TXpNeVlTMDFNbU15TFRRMk9XSXRPVGc0WmkxaU16TmhZMlJtTkdVMlpEVWlMQ0poZFdRaU9pSmhkWFJvWlc1MGFXTmhkR1ZrSWl3aVpYaHdJam94TnpVMU5URTVOVE14TENKcFlYUWlPakUzTlRVMU1UVTVNekVzSW1WdFlXbHNJam9pSWl3aWNHaHZibVVpT2lJaUxDSmhjSEJmYldWMFlXUmhkR0VpT250OUxDSjFjMlZ5WDIxbGRHRmtZWFJoSWpwN0ltbGtJam9pTlRCaFpEUm1ZV0l0WVdJME15MDBaRFJtTFRreVpXSXRZV0ptWlRFNU5URXhaV1U1SW4wc0luSnZiR1VpT2lKaGRYUm9aVzUwYVdOaGRHVmtJaXdpWVdGc0lqb2lZV0ZzTVNJc0ltRnRjaUk2VzNzaWJXVjBhRzlrSWpvaVlXNXZibmx0YjNWeklpd2lkR2x0WlhOMFlXMXdJam94TnpVMU1qWTBNREEyZlYwc0luTmxjM05wYjI1ZmFXUWlPaUptTURFeU1XUTBNaTFoWW1NNUxUUmpaV0l0WVRGbE55MHdOR0prT1dOa1pETTFNakFpTENKcGMxOWhibTl1ZVcxdmRYTWlPblJ5ZFdWOS5JbG1zaGhPcENfRkR4MkJfYzFPMDRwaEJvTjIyVm5XQ3ZTZzNpZkRWbWg4IiwidG9rZW5fdHlwZSI6ImJlYXJlciIsImV4cGlyZXNfaW4iOjM2MDAsImV4cGlyZXNfYXQiOjE3NTU1MTk1MzEsInJlZnJlc2hfdG9rZW4iOiI3eXZraDR2Mm95dGwiLCJ1c2VyIjp7ImlkIjoiNjU3OTMzMmEtNTJjMi00NjliLTk4OGYtYjMzYWNkZjRlNmQ1IiwiYXVkIjoiYXV0aGVudGljYXRlZCIsInJvbGUiOiJhdXRoZW50aWNhdGVkIiwiZW1haWwiOiIiLCJwaG9uZSI6IiIsImxhc3Rfc2lnbl9pbl9hdCI6IjIwMjUtMDgtMTVUMTM6MjA6MDYuMjY3MTg0WiIsImFwcF9tZXRhZGF0YSI6e30sInVzZXJfbWV0YWRhdGEiOnsiaWQiOiI1MGFkNGZhYi1hYjQzLTRkNGYtOTJlYi1hYmZlMTk1MTFlZTkifSwiaWRlbnRpdGllcyI6W10sImNyZWF0ZWRfYXQiOiIyMDI1LTA4LTE1VDEzOjIwOjA2LjI2NTcxMVoiLCJ1cGRhdGVkX2F0IjoiMjAyNS0wOC0xOFQxMToxODo0Ny4xMTA3NDlaIiwiaXNfYW5vbnltb3VzIjp0cnVlfX0; cf_clearance=L6.8YVuCxHAtU58_zxY4hTbeX7Oka6NebIP4E2FKgK8-1755515991-1.2.1.1-GxbIoov7gOMuskXt2W7fdNJdPMN2lEyNofMrNWgxzSL.OL4.FcVxpmETOoncU6zLgX3vZUh9DEkTxz1cLCJCgaifTNxH7VX_RR8yHaQuPzwzrLULWR08tufdfrkVAqj6ilUjG7fmkg3IUioWLx6.uq.Ivd.HMs9rbVSIiRcEG1z0xyWPd_SaZmnfSksuc_W97zDQiIq_RIlAxQagXSPSM664MnNkRlfPMuZ916hl9kewFQlzhWEIGRFAEZBdrxAP; ph_phc_LG7IJbVJqBsk584rbcKca0D5lV2vHguiijDrVji7yDM_posthog=%7B%22distinct_id%22%3A%2250ad4fab-ab43-4d4f-92eb-abfe19511ee9%22%2C%22%24sesid%22%3A%5B1755516120297%2C%220198bce7-4efc-72cd-bd68-ede97fcf6ba0%22%2C1755515932412%5D%2C%22%24epp%22%3Atrue%2C%22%24initial_person_info%22%3A%7B%22r%22%3A%22%24direct%22%2C%22u%22%3A%22https%3A%2F%2Flmarena.ai%2F%22%7D%7D; _ga_72FK1TMV06=GS2.1.s1755515932o2o2g1t1755516120t1755516120j20l0l0h0'
-H 'origin: https://lmarena.ai'
-H 'priority: u=1, i'
-H 'referer: https://lmarena.ai/'
-H 'sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"'
-H 'sec-ch-ua-arch: "x86"'
-H 'sec-ch-ua-bitness: "64"'
-H 'sec-ch-ua-full-version: "139.0.7258.128"'
-H 'sec-ch-ua-full-version-list: "Not;A=Brand";v="99.0.0.0", "Google Chrome";v="139.0.7258.128", "Chromium";v="139.0.7258.128"'
-H 'sec-ch-ua-mobile: ?0'
-H 'sec-ch-ua-model: ""'
-H 'sec-ch-ua-platform: "Windows"'
-H 'sec-ch-ua-platform-version: "19.0.0"'
-H 'sec-fetch-dest: empty'
-H 'sec-fetch-mode: cors'
-H 'sec-fetch-site: same-origin'
-H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36'
--data-raw '{"id":"ec5ed15c-ea21-4764-9570-14ded4079e51","mode":"battle","userMessageId":"1869f827-b4c2-4bf6-93c1-a35771ed8b31","modelAMessageId":"61173745-f689-4790-b931-594ca8f1a662","modelBMessageId":"63e45bbd-da62-49da-a616-0471572e19db","messages":[{"id":"1869f827-b4c2-4bf6-93c1-a35771ed8b31","role":"user","content":"Low-angle cinematic shot of a Formula 1 pit crew helmet, towering in the frame. The glossy visor reflects a Formula 1 race car entering the pit lane, mechanics rushing around. The reflection is slightly warped by the visor curve, creating a dramatic perspective. Strong contrast, warm natural light, high-detail textures of helmet and visor. Editorial motorsport aesthetic.","experimental_attachments":[],"parentMessageIds":[],"participantPosition":"a","modelId":null,"evaluationSessionId":"ec5ed15c-ea21-4764-9570-14ded4079e51","status":"pending","failureReason":null},{"id":"61173745-f689-4790-b931-594ca8f1a662","role":"assistant","content":"","experimental_attachments":[],"parentMessageIds":["1869f827-b4c2-4bf6-93c1-a35771ed8b31"],"participantPosition":"a","modelId":null,"evaluationSessionId":"ec5ed15c-ea21-4764-9570-14ded4079e51","status":"pending","failureReason":null},{"id":"63e45bbd-da62-49da-a616-0471572e19db","role":"assistant","content":"","experimental_attachments":[],"parentMessageIds":["1869f827-b4c2-4bf6-93c1-a35771ed8b31"],"participantPosition":"b","modelId":null,"evaluationSessionId":"ec5ed15c-ea21-4764-9570-14ded4079e51","status":"pending","failureReason":null}],"modality":"chat"}' ?

Suy nghĩ

Troubleshooting Cloudflare blocks

The user seems to be wondering why Cloudflare is blocking their request. Possible reasons could be bot management, browser integrity checks, or issues like CORS, CSRF, or missing headers. Curl doesn't handle JS challenges or tokens, so it's important to use the service API with proper credentials.

Ethical considerations for bypassing security

It's important to be cautious with any attempt to bypass security, especially Cloudflare's bot protection. While using tools like Playwright might work, it could go against terms of service. Instead, follow a legitimate route: use the API, verify authentication, check headers, and contact site operators if needed.

Thought for 19s

Trả lời

Pelo jeito, o bloqueio não é “do seu JSON”, e sim do bot management/WAF da Cloudflare do site. Você está tentando chamar um endpoint pensado para ser usado pelo front-end do lmarena.ai (mesma origem, com desafios anti-bot no navegador), e o curl não reproduz isso. Pontos que costumam disparar bloqueio:

  1. Cookies e “clearances” do Cloudflare não são portáveis
    cf_clearance e __cf_bm são emitidos para aquele navegador, IP e “fingerprint” TLS. Quando você reaproveita no curl, a Cloudflare detecta inconsistência e bloqueia.

  2. Desafios de navegador ausentes
    A página geralmente exige resolver Turnstile/challenge e executar JS. O curl não roda JS nem envia os sinais esperados (integração JS, h2/h3, fingerprints), então falha.

  3. Headers “de navegador” falsos
    Esses sec-ch-ua*, sec-fetch-*, accept-language, etc., copiados do Chrome, parecem spoof quando vêm de curl. Isso costuma aumentar a pontuação de risco.

  4. Política de mesma origem / CORS + CSRF
    Mesmo com cookies de sessão (arena-auth-prod-v1, __clerk_db_jwt), o backend pode exigir Origin/Referer confiável e um token CSRF emitido no carregamento da página. De fora da origem, bloqueia.

  5. Content-Type inadequado
    Você está mandando content-type: text/plain;charset=UTF-8 com um JSON. Se o backend espera application/json, já pode cair em regra do WAF.

  6. Autenticação errada
    Muitos endpoints internos não são API pública. Precisam de um header Authorization: Bearer <api_key> emitido para chamadas server-to-server. Cookies de navegador não substituem isso.

  7. Rate limit / regras do WAF
    Repetir tentativas, IPs de datacenter ou padrões suspeitos (payload grande, campos fora do esquema) podem acionar bloqueio.

Como prosseguir (jeito “oficial” e sem brigar com a Cloudflare)

  • Use a API pública (se existir): procure documentação do lmarena.ai que descreva endpoint, autenticação com API key e Content-Type: application/json. Exemplo genérico:

    bash
    curl -X POST 'https://lmarena.ai/api/stream/create-evaluation' \
  -H 'Authorization: Bearer <SUA_API_KEY>' \
  -H 'Content-Type: application/json' \
  -d '{ ...seu payload JSON... }'

    (Sem cookies de navegador, sem headers “sec-*”.)

  • Se não houver API pública, chame o endpoint apenas pelo site, como foi projetado. Chamadas diretas de fora (curl, scripts) normalmente serão bloqueadas.

  • Não reutilize cookies do navegador: além de instáveis, podem violar os termos do serviço.

  • Ajuste o Content-Type: envie application/json para payload JSON.

  • Simplifique os headers: mantenha só Content-Type, Accept e, se aplicável, Authorization. Remova os sec-ch-ua*, sec-fetch-*, origin, etc.

  • Fale com o suporte do serviço: peça credenciais de API ou whitelist para server-to-server, se o caso de uso for legítimo.

Se você quiser, posso te ajudar a montar um curl mínimo (com application/json) a partir do seu payload — mas só vai funcionar se o serviço realmente oferecer autorização por token e permitir acesso externo a esse endpoint.

Chia sẻ Q&A này