Cloudflare optimizations for XenForo

Wildcat Media

Well-known member
The proxies are all good now, thanks!

I was looking at the Access selection, and came across this when I was looking to try setting it up for our admin and install URLs:

You need to have Cloudflare Access Login Methods setup that support email addresses (most importantly, it needs to support your email address on your account here).

I'm not quite sure what I need to set up on Cloudflare first. The Cloudflare icon takes me to the Zero Trust dashboard / Access / Applications. In the forum if I click the Add Cloudflare Access policy button, nothing happens, as expected...
 

digitalpoint

Well-known member
Looks like they changed some wording and locations for the setup. It's under Cloudflare Dashboard -> Zero Trust -> Settings -> Authentication -> Login methods
 

Wildcat Media

Well-known member
OK, I followed that. Here's where I'm at. I had "One-time PIN" automatically selected but all the others are not related to email, other than being third party sites.

1674087708652.png

I must be missing something?

I'm starting to think .htaccess logins would be easier at this point, and at least our admin and install options would be available without a third party between them.
 

digitalpoint

Well-known member
Never tried One-time PIN myself, but ya... if Zero Trust isn't what you need, don't use it. 🤷🏻‍♂️

Definitely not a good idea to do anything with Cloudflare just for sake of doing it but not understanding what it is or if you need it. If you aren't sure if you need it, you don't need it. :)
 

Wildcat Media

Well-known member
I was thinking that it offered a better way to secure our admin and install, without having to set up a dual login with htaccess (which, even over a decade and a half later, still confuses our staff). Or at least, that's what I understood what it was for, and was willing to set it up and give it a try to see how it worked. It's just that I'm not used to Cloudflare's terminology and way of doing things, although I understand the concepts behind it when it's explained better.
 

digitalpoint

Well-known member
They have a ton of info about the Zero Trust Access service if you want to look into it:


Basically it allows you secure things at the network level, so even if the application had security issues, or the web server had an issue where .htaccess broke or users had their credentials stolen, it doesn't matter because you are controlling access to certain things at the network level. That's the short version. :)
 

Wildcat Media

Well-known member
I managed to get Access to work. 👍 The Internet didn't break, nobody died, and unicorns are still puking rainbow-colored kittens or something.

The key was to first create an Access Group, then create two applications--one for admin.php, the other for install/. Then, go to the Setup / Cloudflare / Access page in the Xenforo admin to click the magic buttons and have the two applications connected to XenForo (however that works).

I'm guessing that I would need to manually add all the email addresses from our admin staff into the Access Group. Under "Group configuration" I have the selector set to Emails, and put my admin email address in there. When I configure both applications, under the Policy settings, I find that I have to select something under "Create additional rules", so that is where I've set the selector to Login Methods, and selected One-Time Pin. This is confusing since the wording in this section says, "If you’re assigning one or more groups to this application, any rules you create now will be applied in addition to group rules." Making me think that my selector for emails in the Access Group would apply without my having to fill in anything here. And it's redundant if I have to enter my email address here again--it won't let me leave the field blank, in other words.

So for now, it works with a one-time PIN and my email address. And other email addresses get no code sent to them. When I check under Users, I see my email address listed as active, with the option to revoke access or remove user.
 

hellreturn

Active member
@digitalpoint - is their any tutorial you have setting up worker in cloudflare? or by any chance anyone have one? Thank you in advance.

Also any thoughts on enabling JIT? Does it makes difference? Thanks
 
Last edited:

digitalpoint

Well-known member
What’s your use case for Workers? I use them in my addon so people can use it as a proxy for image caching and unfurling. But you would need to know what your end goal is before you can figure out if Workers might be appropriate.
 

digitalpoint

Well-known member
I managed to get Access to work. 👍 The Internet didn't break, nobody died, and unicorns are still puking rainbow-colored kittens or something.

The key was to first create an Access Group, then create two applications--one for admin.php, the other for install/. Then, go to the Setup / Cloudflare / Access page in the Xenforo admin to click the magic buttons and have the two applications connected to XenForo (however that works).

I'm guessing that I would need to manually add all the email addresses from our admin staff into the Access Group. Under "Group configuration" I have the selector set to Emails, and put my admin email address in there. When I configure both applications, under the Policy settings, I find that I have to select something under "Create additional rules", so that is where I've set the selector to Login Methods, and selected One-Time Pin. This is confusing since the wording in this section says, "If you’re assigning one or more groups to this application, any rules you create now will be applied in addition to group rules." Making me think that my selector for emails in the Access Group would apply without my having to fill in anything here. And it's redundant if I have to enter my email address here again--it won't let me leave the field blank, in other words.

So for now, it works with a one-time PIN and my email address. And other email addresses get no code sent to them. When I check under Users, I see my email address listed as active, with the option to revoke access or remove user.
BTW, I forgot to mention that Cloudflare ever so slightly changed how applications are created via the API, which is why the addon couldn't do it for you automatically. It was since changed to adhere to their new schema so it should work from within addon again (doesn't help you now I know, but just FYI).
 

Joe Link

Well-known member
Early Hints: Turn this OFF. This can actually have a counter-productive effect where you are forcing users to load static resources like images and JavaScript (which XenForo has a lot of) on every page view even if they have it cached already in their browser.

@digitalpoint I noticed this is now turned On when using the Easy Config button in your CF addon. Is this now recommended?
 

digitalpoint

Well-known member
@digitalpoint I noticed this is now turned On when using the Easy Config button in your CF addon. Is this now recommended?
Doesn't seem to actually affect anything either way with XenForo, so don't think it really matters one way or the other. I have yet to see an Early Hints HTTP header come down from Cloudflare when using XenForo, but at least it doesn't seem to hurt anything. 🤷🏻‍♂️
 

Joe Link

Well-known member
Doesn't seem to actually affect anything either way with XenForo, so don't think it really matters one way or the other. I have yet to see an Early Hints HTTP header come down from Cloudflare when using XenForo, but at least it doesn't seem to hurt anything. 🤷🏻‍♂️

Thanks for the quick reply :)
 

Wildcat Media

Well-known member
I tried the Easy Config button in the add-on, making note of what I had set beforehand. I must have made my settings correctly as only two of the settings changed.

I remember a long time ago trying the Rocket Loader when it first launched, and it broke a lot of things on the site. I haven't touched it since.
 
Top