Find what is blocking Cloudflare.
WAF/Firewall logs: which rules are triggered during API calls to SMS Fly and Checkbox (codes 403 / 1020 / JS-Challenge).
Check if Managed Challenge, Bot Fight, Super Bot Fight, etc. are blocking.
Configure targeted exceptions without weakening the overall shield.
Firewall Rule (allow) by IP ranges and ASN for SMS Fly / Checkbox OR
Firewall Rule (allow) by URI patterns, for example:
lua
(http.request.uri.path contains "/api/smsfly")
or (http.request.uri.path contains "/api/checkbox")
For excluded paths, set:
Security Level: Essentially Off (or Skip).
Captcha / JS Challenge → Skip.
Rate Limiting / Super Bot Fight → Skip.
DNS / proxying.
Ensure that outgoing client requests (cURL from PHP) bypass Cloudflare.
If API hosts are within our domain, set them to "gray cloud" (Direct DNS).
Cache and optimizations.
Rocket Loader, HTML Cache, Auto Minify — disable on API endpoints if they break headers/signatures.
Test plan (mandatory):
Enable Under Attack mode (or custom rules = same level of protection).
Create a test order:
SMS arrives.
Check passes in Checkbox.
Meanwhile — load monitoring: CPU, RAM, number of processes remain within normal limits.
No 4xx / 5xx errors from Cloudflare in logs during API operation.