How to Fix Proxy Issues with Specific Websites (Cloudflare, Akamai)

Your proxy works perfectly on most websites, but certain sites block you, return CAPTCHAs, or show error pages. This is almost always because those sites use CDN and WAF (Web Application Firewall) providers like Cloudflare, Akamai, Imperva, or Fastly, which are specifically designed to detect and block proxy traffic.

These protection layers analyze incoming traffic using dozens of signals beyond just the IP address. Understanding what they check and how to address each signal is the key to accessing protected sites through a proxy.

Why CDNs and WAFs Block Proxy Traffic

IP Reputation

CDN providers maintain databases of IP addresses categorized by type:

Data center IPs: Flagged as high risk because legitimate users rarely browse from data centers
Known proxy/VPN IPs: IPs previously identified as belonging to proxy services
Residential IPs: Considered lower risk because they belong to ISPs that serve real users
Mobile IPs: Considered lowest risk because they belong to mobile carriers

When your proxy IP has a poor reputation score, the WAF may block it outright or serve a CAPTCHA challenge.

Browser Fingerprinting

Modern WAFs go beyond IP checking. They examine:

JavaScript execution: Bots and automated tools often do not execute JavaScript properly
TLS fingerprint (JA3/JA4): The TLS client hello message reveals which software is making the request. cURL, Python requests, and headless browsers have distinct TLS fingerprints that differ from real browsers
HTTP/2 fingerprint: The order of HTTP/2 settings frames and priority trees varies by browser
Canvas and WebGL fingerprints: Used to identify the rendering engine
Mouse movements and click patterns: Behavioral analysis that detects automation

Request Patterns

WAFs detect proxy traffic through behavioral analysis:

High request volume from a single IP
Uniform request timing (no natural variation)
Missing or inconsistent headers
Accessing pages in an unnatural sequence (e.g., product pages without visiting the homepage first)

Cloudflare-Specific Issues

Challenge Pages

Cloudflare serves challenge pages (the “Checking your browser” interstitial) when it suspects bot traffic. If you see this page through your proxy, Cloudflare is not blocking the IP outright but is challenging it.

Solutions:

Use residential or mobile proxies. Cloudflare assigns higher trust scores to residential and mobile IPs. Mobile proxies from real carrier networks receive the highest trust because they share IPs with thousands of legitimate mobile users.

Rotate User-Agent strings. Use current browser User-Agent strings that match your TLS fingerprint:

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
}

Handle JavaScript challenges. Use a real browser (via Puppeteer or Playwright) that can execute Cloudflare’s JavaScript challenge. Headless browsers must be configured to avoid detection.

Cloudflare Turnstile

Cloudflare Turnstile is a CAPTCHA alternative that runs background challenges. It checks:

Browser environment integrity
User behavior signals
Device attestation

To handle Turnstile, you need a real browser environment. Basic HTTP clients cannot solve Turnstile challenges.

Error 1020: Access Denied

This error means Cloudflare’s firewall rules explicitly blocked your request. The site owner configured a rule that your request triggered. Common triggers include:

Blocked country or region
Blocked User-Agent
Blocked IP range
Missing required headers or cookies

Akamai-Specific Issues

Bot Manager

Akamai Bot Manager uses a sensor script that collects browser and device data. It generates a “sensor data” payload that must be included in requests.

Solutions:

Use a real browser that loads and executes Akamai’s sensor script
Maintain session cookies across requests, as Akamai tracks sessions
Use residential or mobile IPs that have higher trust scores in Akamai’s classification

Client Reputation

Akamai maintains client reputation scores based on:

Historical behavior of the IP address
The ASN (Autonomous System Number) the IP belongs to
Geographic consistency of requests

Data center IPs from well-known cloud providers (AWS, GCP, Azure) are immediately flagged by Akamai.

Imperva (Incapsula) Issues

Imperva uses a multi-layered detection approach:

Cookie challenge: Sets a cookie via JavaScript that must be returned in subsequent requests
CAPTCHA: Served when the cookie challenge fails or the IP is suspicious
Behavioral analysis: Monitors request patterns for bot-like behavior

Solution: Use a browser that handles cookies and JavaScript. Ensure your proxy supports persistent sessions so cookies are maintained across requests.

General Solutions for All Protected Sites

Solution 1: Use High-Quality Proxy IPs

The IP type is the single most important factor. In order of effectiveness:

Mobile proxies – Highest trust, shared with real mobile users
Residential proxies – High trust, from real ISP connections
ISP proxies – Moderate trust, static IPs from ISP ranges
Data center proxies – Lowest trust, frequently blocked

Solution 2: Match the TLS Fingerprint

Your TLS fingerprint must match a real browser. Tools like curl-impersonate mimic browser TLS fingerprints:

# curl-impersonate mimics Chrome's TLS fingerprint
curl_chrome116 -x http://proxy:8080 https://protected-site.com

In Python, use libraries like tls-client or curl_cffi:

import curl_cffi.requests as requests

response = requests.get(
    "https://protected-site.com",
    impersonate="chrome",
    proxies={"https": "http://user:pass@proxy:8080"}
)

Solution 3: Implement Proper Headers

Send a complete set of headers that match a real browser. Missing headers are a strong bot signal:

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...",
    "Accept": "text/html,application/xhtml+xml,...",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
    "Connection": "keep-alive",
    "Upgrade-Insecure-Requests": "1",
    "Sec-Fetch-Dest": "document",
    "Sec-Fetch-Mode": "navigate",
    "Sec-Fetch-Site": "none",
    "Sec-Fetch-User": "?1",
    "DNT": "1",
}

Solution 4: Rate Limiting and Delays

Add natural variation to your request timing:

import random
import time

for url in urls:
    response = session.get(url, proxies=proxies, headers=headers)
    # Random delay between 2-5 seconds
    time.sleep(random.uniform(2, 5))

Solution 5: Session Management

Maintain consistent sessions by:

Reusing cookies across requests
Using sticky proxy sessions that maintain the same IP
Preserving the Referer header chain
Following natural navigation patterns (homepage > category > product)

Solution 6: Handle Errors Gracefully

Implement retry logic that adapts to blocking:

def fetch_with_retry(url, proxies, max_retries=3):
    for attempt in range(max_retries):
        response = session.get(url, proxies=proxies, headers=headers)
        if response.status_code == 200:
            return response
        elif response.status_code == 403:
            # Switch to a different proxy
            proxies = get_next_proxy()
            time.sleep(random.uniform(5, 15))
        elif response.status_code == 429:
            # Rate limited, back off
            time.sleep(30 * (attempt + 1))
    return None

Diagnosing Which Protection Is Active

Use the response headers and page content to identify the protection layer:

curl -x http://proxy:8080 -v https://protected-site.com 2>&1 | grep -i "server\|cf-ray\|x-akamai\|x-cdn"

cf-ray header: Cloudflare
server: AkamaiGHost: Akamai
x-iinfo header: Imperva
server: Fastly: Fastly

Understanding which protection you are facing determines which solution to apply. For definitions of CDN, WAF, and related terms, check the proxy glossary.

Conclusion

Accessing Cloudflare, Akamai, and other protected websites through proxies requires more than just changing your IP address. Modern protection layers examine TLS fingerprints, browser behavior, request patterns, and IP reputation. The most effective approach combines high-quality proxy IPs (mobile or residential), proper TLS and browser fingerprints, realistic request patterns, and session management. Start with the IP quality, as it is the easiest factor to change and has the largest impact on success rates.