Cloudflare optimizations for XenForo

Important link to keep handy:


Seems there's a large outage at Cloudflare today, ongoing for several hours or more now. I've noticed I can't configure or do anything via the Dashboard. I've been trying to configure R2 buckets for another project and nothing will display, or I get a lot of errors.

I think what I find interesting is that a "power loss" caused the outage. If they mean electrical power, why were there no power generator backups in place for something as widely used as Cloudflare? Even my web host has dual power backups to deal with long-term outages (a second generator as a failover if one of the generators fails).

So in short, the Dashboard and many of the APIs are affected, so until they are fixed, things will not operate as they should.
 
It's a little more complicated than that. It was the Flexential PDX02 data center, which is Cloudflare's "core" data center for North America. Specifically config changes go to the core data center and are distributed to the others. Obviously they have failover systems in place, but those failed. I'm sure there will be a big write up about it in the next day or two.

The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:


The power company literally just got power fully restored to the data center about 25 minutes ago, so it was out for 12 hours. But will takes time to bring everything back online and I think Cloudflare was already starting to reroute stuff to other data centers (which is why some of the more important stuff like DNS record editing is working again but other stuff isn't yet).
 
It's a little more complicated than that. It was the Flexential PDX02 data center, which is Cloudflare's "core" data center for North America. Specifically config changes go to the core data center and are distributed to the others. Obviously they have failover systems in place, but those failed. I'm sure there will be a big write up about it in the next day or two.

The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:

Thanks for the update--that makes more sense now. (I haven't had time to dig--I just wanted to find out why I've been shut out of working on it today.)

And yes...I'm equally relieved it's not the public side. On the XF project I just put onto Cloudflare last Friday, we're getting numerous complaints that things are "slow" and "buggy" without providing any evidence. The last thing we'd need right now is to have CF's public-facing side have issues!
 
It's a little more complicated than that. It was the Flexential PDX02 data center, which is Cloudflare's "core" data center for North America. Specifically config changes go to the core data center and are distributed to the others. Obviously they have failover systems in place, but those failed. I'm sure there will be a big write up about it in the next day or two.

The Flexential PDX02 data center lost power, backup generators failed, data center failover failed, etc... I'm just glad it's config changes and not end-user facing stuff (like DNS or reverse proxy failing). Some tidbits if you are bored:


The power company literally just got power fully restored to the data center about 25 minutes ago, so it was out for 12 hours. But will takes time to bring everything back online and I think Cloudflare was already starting to reroute stuff to other data centers (which is why some of the more important stuff like DNS record editing is working again but other stuff isn't yet).

From the sounds of it, what happened should have never even come close to happening. It definitely could be worse like you said, but there will definitely be some job reappointments and hopefully some major changes to the failsafe plan!
 
This is sort of related to Cloudflare and XF.

I have a development forum under its own subdomain, and have it protected by Cloudflare's Zero Trust 2FA (requires a six digit code to pass). Problem is, my LetsEncrypt certificate can't renew since Cloudflare is blocking it from accessing the server.

So should I just ditch the Zero Trust and return to using restrictions in htaccess as I have done previously? (There is a way to allow certbot through to check the domain in htaccess as well, while still locking it down from the rest of the world.)
 
I looked that up, and LetsEncrypt doesn't give out their IP addresses "for security reasons." 😐

But, I'm still interested in bypassing the authentication for my own IP address, just as an exercise to see how this all works. It's similar to a firewall but yeah, the "Cloudflare way" is way different.

I'm testing it at the moment but haven't had much luck. For the Zero Trust app, I added a "bypass" policy with my IP address and moved it up to the #1 spot, but that isn't working.

I am also thinking of trying adding a rule to to the policy where the emails are listed. In other words, Include / Emails has our staff emails, and I'm considering adding Include / IP ranges and adding them there. But that seems as though it's additive as the additional Include would mean the email and the IP address would have to match before getting past the authentication.

It's not a top priority but I will need to read a lot of the docs to figure this out.
 
...and yeah, I see now why it's not working. Duh. I was changing the application for another site. 🤦‍♂️ I went to that site and zoom...got right in without the authentication.
 
Last edited:
Well... if you are using Cloudflare, you really don't need LetEncrypt... so the easy solution is to just not use it. Cloudflare will give you a certificate for your origin server, or you can just use an expired certificate without any issues (Cloudflare communicating with your origin server will do it just fine with expired certs since it's really just about encrypting, not verifying who you are), and then just use the Cloudflare issued certificate that they will auto-renew/update for you. I know this firsthand because I use a self-signed certificate that expired in 2015 on my web servers and Cloudflare is communicating with them just fine with "full" encryption to the origin (just couldn't use Full (strict) origin SSL). I've been meaning to switch my web servers over to a Cloudflare issues origin certificate, but just haven't gotten around to it.

1701315132549.png

Did I mention the Cloudflare origin certificates are free? :)

Even if you switched your dev site to HTTP AUTH via htaccess, does that really help the LetsEncrypt bot? I assume they would still need to authenticate... or maybe they just check if the domain exists. 🤷🏻‍♂️ Either way, I can't really think of a reason to use LetsEncrypt if you are using Cloudflare.

As far as the IP bypass, it definitely works... <nevermind just saw your second post, you sorted it out>
 
Last edited:
Oh, now I remember why I'm using a self-signed origin cert rather than a Cloudflare issued one... because I just wanted to worry about managing a single SSL cert ("manage" is used loosely here, because it doesn't need to be valid for the hostname and can even be expired). Since all my web server traffic is served via Cloudflare, only Cloudflare sees the self-signed/invalid/expired cert.

Cloudflare issued origin certs are valid for 15 years (great), but only for a single domain. Easier to spin up new websites without screwing around with origin certs for each domain.
 
Even if you switched your dev site to HTTP AUTH via htaccess, does that really help the LetsEncrypt bot?
This sample is from LetsEncrypt (which writes to the /.well-known/ directory on the server):

Apache config:
RewriteEngine On
RewriteBase /
SetEnvIf Request_URI "^/\.well-known/"  acme

Order deny,allow
Deny from all
Allow from x.x.x.x
Allow from env=acme


Either way, I can't really think of a reason to use LetsEncrypt if you are using Cloudflare.
If I ever need to move away from Cloudflare in the future or need to disable the proxy on any of the sites, I'd rather not scramble to set up certificates. It all renews automatically except when it hits a little hiccup like this one, so it's basically hands off and I never have to give it any thought. I rarely set up new sites anymore (getting out of the business slowly), so if I have to create a new certificate once every year or two, that's not a big deal. And setting CF to "Full (strict)" has always worked. 👍 They were already set up before I began using CF.

If I were still in development or hosting, I could see using CF exclusively.
 
If LetEncrypt just needs to access the .well-known directory, you could whitelist that with ZTNA as well?
Ooh, that's possible? I'll look into that when I'm home later. (I'm no Black Belt in knowing Cloudflare!)

Have to take someone in for dental surgery today so most of the day is kaput.
 
Gents, thought it might be best to ask this here as opposed to a new thread:

Is there compelling reason to pay for the Pro plan for xf forums?
 
Gents, thought it might be best to ask this here as opposed to a new thread:

Is there compelling reason to pay for the Pro plan for xf forums?
If you are asking the question, probably not. My advice is to go with a Free plan, and then down the road if you run into something you need that is only supported on a paid plan, you can upgrade at that point. Personally, I have zero sites that are running on XenForo 2 that are on a paid Cloudflare plan.
 
If you are asking the question, probably not. My advice is to go with a Free plan, and then down the road if you run into something you need that is only supported on a paid plan, you can upgrade at that point. Personally, I have zero sites that are running on XenForo 2 that are on a paid Cloudflare plan.
Thanks so much for that.

Another question: have you or anyone else posted their WAF Rules for xf 2?
 
Back
Top Bottom