Kleazy
Active member
Yes, I am one of the lucky ones that signed up with CF years ago when the new player in the CDN world and they grandfather the super low cost pro plan until this day.
It appears that some of what I posted is a pro only feature.
Cloudflare optimizations for XenForo
- Thread starter digitalpoint
- Start date
-
- Tags
- cloudflare
It appears that some of what I posted is a pro only feature.
Wildcat Media
Well-known member
Important link to keep handy:
www.cloudflarestatus.com
Seems there's a large outage at Cloudflare today, ongoing for several hours or more now. I've noticed I can't configure or do anything via the Dashboard. I've been trying to configure R2 buckets for another project and nothing will display, or I get a lot of errors.
I think what I find interesting is that a "power loss" caused the outage. If they mean electrical power, why were there no power generator backups in place for something as widely used as Cloudflare? Even my web host has dual power backups to deal with long-term outages (a second generator as a failover if one of the generators fails).
So in short, the Dashboard and many of the APIs are affected, so until they are fixed, things will not operate as they should.
Cloudflare Status
Welcome to Cloudflare's home for real-time and historical data on system performance.
www.cloudflarestatus.com
Seems there's a large outage at Cloudflare today, ongoing for several hours or more now. I've noticed I can't configure or do anything via the Dashboard. I've been trying to configure R2 buckets for another project and nothing will display, or I get a lot of errors.
I think what I find interesting is that a "power loss" caused the outage. If they mean electrical power, why were there no power generator backups in place for something as widely used as Cloudflare? Even my web host has dual power backups to deal with long-term outages (a second generator as a failover if one of the generators fails).
So in short, the Dashboard and many of the APIs are affected, so until they are fixed, things will not operate as they should.
digitalpoint
Well-known member
It's a little more complicated than that. It was the Flexential PDX02 data center, which is Cloudflare's "core" data center for North America. Specifically config changes go to the core data center and are distributed to the others. Obviously they have failover systems in place, but those failed. I'm sure there will be a big write up about it in the next day or two.
The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:
The power company literally just got power fully restored to the data center about 25 minutes ago, so it was out for 12 hours. But will takes time to bring everything back online and I think Cloudflare was already starting to reroute stuff to other data centers (which is why some of the more important stuff like DNS record editing is working again but other stuff isn't yet).
The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:
The power company literally just got power fully restored to the data center about 25 minutes ago, so it was out for 12 hours. But will takes time to bring everything back online and I think Cloudflare was already starting to reroute stuff to other data centers (which is why some of the more important stuff like DNS record editing is working again but other stuff isn't yet).
Wildcat Media
Well-known member
Thanks for the update--that makes more sense now. (I haven't had time to dig--I just wanted to find out why I've been shut out of working on it today.)It's a little more complicated than that. It was the Flexential PDX02 data center, which is Cloudflare's "core" data center for North America. Specifically config changes go to the core data center and are distributed to the others. Obviously they have failover systems in place, but those failed. I'm sure there will be a big write up about it in the next day or two.
The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:
And yes...I'm equally relieved it's not the public side. On the XF project I just put onto Cloudflare last Friday, we're getting numerous complaints that things are "slow" and "buggy" without providing any evidence. The last thing we'd need right now is to have CF's public-facing side have issues!
bzcomputers
Well-known member
It's a little more complicated than that. It was the Flexential PDX02 data center, which is Cloudflare's "core" data center for North America. Specifically config changes go to the core data center and are distributed to the others. Obviously they have failover systems in place, but those failed. I'm sure there will be a big write up about it in the next day or two.
The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:
The power company literally just got power fully restored to the data center about 25 minutes ago, so it was out for 12 hours. But will takes time to bring everything back online and I think Cloudflare was already starting to reroute stuff to other data centers (which is why some of the more important stuff like DNS record editing is working again but other stuff isn't yet).
From the sounds of it, what happened should have never even come close to happening. It definitely could be worse like you said, but there will definitely be some job reappointments and hopefully some major changes to the failsafe plan!
Been there done that, in a previous life.
It screwed up one of our Cloud site DNS provisionings.
digitalpoint
Well-known member
Yep any Cloudflare config stuff… including DNS record changes was problematic today. Still is, but things are (slowly) coming back.
Wildcat Media
Well-known member
This is sort of related to Cloudflare and XF.
I have a development forum under its own subdomain, and have it protected by Cloudflare's Zero Trust 2FA (requires a six digit code to pass). Problem is, my LetsEncrypt certificate can't renew since Cloudflare is blocking it from accessing the server.
So should I just ditch the Zero Trust and return to using restrictions in htaccess as I have done previously? (There is a way to allow certbot through to check the domain in htaccess as well, while still locking it down from the rest of the world.)
I have a development forum under its own subdomain, and have it protected by Cloudflare's Zero Trust 2FA (requires a six digit code to pass). Problem is, my LetsEncrypt certificate can't renew since Cloudflare is blocking it from accessing the server.
So should I just ditch the Zero Trust and return to using restrictions in htaccess as I have done previously? (There is a way to allow certbot through to check the domain in htaccess as well, while still locking it down from the rest of the world.)
digitalpoint
Well-known member
You could whitelist certbot’s IP block if you know it and allow it to bypass the ZTNA authentication.
Wildcat Media
Well-known member
I looked that up, and LetsEncrypt doesn't give out their IP addresses "for security reasons." 
But, I'm still interested in bypassing the authentication for my own IP address, just as an exercise to see how this all works. It's similar to a firewall but yeah, the "Cloudflare way" is way different.
I'm testing it at the moment but haven't had much luck. For the Zero Trust app, I added a "bypass" policy with my IP address and moved it up to the #1 spot, but that isn't working.
I am also thinking of trying adding a rule to to the policy where the emails are listed. In other words, Include / Emails has our staff emails, and I'm considering adding Include / IP ranges and adding them there. But that seems as though it's additive as the additional Include would mean the email and the IP address would have to match before getting past the authentication.
It's not a top priority but I will need to read a lot of the docs to figure this out.
But, I'm still interested in bypassing the authentication for my own IP address, just as an exercise to see how this all works. It's similar to a firewall but yeah, the "Cloudflare way" is way different.
I'm testing it at the moment but haven't had much luck. For the Zero Trust app, I added a "bypass" policy with my IP address and moved it up to the #1 spot, but that isn't working.
I am also thinking of trying adding a rule to to the policy where the emails are listed. In other words, Include / Emails has our staff emails, and I'm considering adding Include / IP ranges and adding them there. But that seems as though it's additive as the additional Include would mean the email and the IP address would have to match before getting past the authentication.
It's not a top priority but I will need to read a lot of the docs to figure this out.
Wildcat Media
Well-known member
...and yeah, I see now why it's not working. Duh. I was changing the application for another site. 
I went to that site and zoom...got right in without the authentication.
I went to that site and zoom...got right in without the authentication.
Last edited:
digitalpoint
Well-known member
Well... if you are using Cloudflare, you really don't need LetEncrypt... so the easy solution is to just not use it. Cloudflare will give you a certificate for your origin server, or you can just use an expired certificate without any issues (Cloudflare communicating with your origin server will do it just fine with expired certs since it's really just about encrypting, not verifying who you are), and then just use the Cloudflare issued certificate that they will auto-renew/update for you. I know this firsthand because I use a self-signed certificate that expired in 2015 on my web servers and Cloudflare is communicating with them just fine with "full" encryption to the origin (just couldn't use
Did I mention the Cloudflare origin certificates are free?
Even if you switched your dev site to HTTP AUTH via htaccess, does that really help the LetsEncrypt bot? I assume they would still need to authenticate... or maybe they just check if the domain exists.
Either way, I can't really think of a reason to use LetsEncrypt if you are using Cloudflare.
As far as the IP bypass, it definitely works... <nevermind just saw your second post, you sorted it out>
Full (strict) origin SSL). I've been meaning to switch my web servers over to a Cloudflare issues origin certificate, but just haven't gotten around to it.Did I mention the Cloudflare origin certificates are free?
Even if you switched your dev site to HTTP AUTH via htaccess, does that really help the LetsEncrypt bot? I assume they would still need to authenticate... or maybe they just check if the domain exists.
Either way, I can't really think of a reason to use LetsEncrypt if you are using Cloudflare.As far as the IP bypass, it definitely works... <nevermind just saw your second post, you sorted it out>
Last edited:
digitalpoint
Well-known member
Oh, now I remember why I'm using a self-signed origin cert rather than a Cloudflare issued one... because I just wanted to worry about managing a single SSL cert ("manage" is used loosely here, because it doesn't need to be valid for the hostname and can even be expired). Since all my web server traffic is served via Cloudflare, only Cloudflare sees the self-signed/invalid/expired cert.
Cloudflare issued origin certs are valid for 15 years (great), but only for a single domain. Easier to spin up new websites without screwing around with origin certs for each domain.
Cloudflare issued origin certs are valid for 15 years (great), but only for a single domain. Easier to spin up new websites without screwing around with origin certs for each domain.
Wildcat Media
Well-known member
This sample is from LetsEncrypt (which writes to the /.well-known/ directory on the server):
Apache config:
RewriteEngine On
RewriteBase /
SetEnvIf Request_URI "^/\.well-known/" acme
Order deny,allow
Deny from all
Allow from x.x.x.x
Allow from env=acmeIf I ever need to move away from Cloudflare in the future or need to disable the proxy on any of the sites, I'd rather not scramble to set up certificates. It all renews automatically except when it hits a little hiccup like this one, so it's basically hands off and I never have to give it any thought. I rarely set up new sites anymore (getting out of the business slowly), so if I have to create a new certificate once every year or two, that's not a big deal. And setting CF to "Full (strict)" has always worked.
They were already set up before I began using CF.If I were still in development or hosting, I could see using CF exclusively.
digitalpoint
Well-known member
If LetEncrypt just needs to access the
.well-known directory, you could whitelist that with ZTNA as well?
Wildcat Media
Well-known member
Ooh, that's possible? I'll look into that when I'm home later. (I'm no Black Belt in knowing Cloudflare!)
Have to take someone in for dental surgery today so most of the day is kaput.
Automotive101
Member
hiya, any recommended / suggested Cache Rules worth setting up ? thanks
digitalpoint
Well-known member
If you are asking the question, probably not. My advice is to go with a Free plan, and then down the road if you run into something you need that is only supported on a paid plan, you can upgrade at that point. Personally, I have zero sites that are running on XenForo 2 that are on a paid Cloudflare plan.
Thanks so much for that.
Another question: have you or anyone else posted their WAF Rules for xf 2?
Similar threads
- Solved
