Cloudflare optimizations for XenForo

avalanch said:
Also before I go to sleep, does xf still have issues resolving visitors IP's from cloudflare? Or did XF push a fix for this? If not what is needed?

developers.cloudflare.com

Using Cloudflare with various forums · Cloudflare Support docs

Many widely used forum platforms are compatible with Cloudflare.
developers.cloudflare.com
Click to expand...
To me this was never an XF issue but a server issue, since I had to do this fix back when I was on vB.
I used to use mod_cloudflare, but have been using mod_remoteip for the past several years as described here:
developers.cloudflare.com

Restoring original visitor IPs · Cloudflare Support docs

When your website traffic is routed through the Cloudflare network , we act as a reverse proxy. This allows Cloudflare to speed up page load time by …
developers.cloudflare.com
 
Still going well, but the larger forum I admin is hosted at a larger managed server, where we don't have root access. Our LetsEncrypt certificates expired and made a mess out of everything. Unfortunately they don't accept outside certs (although since I've been there nearly 24 years, they probably could be convinced--they instead want you to buy their certificates), but I don't know what is different about their setup vs. my other sites which are unmanaged (both run on Apache), as mine update every 60 days like clockwork. And both are behind Cloudflare. I had to disable the proxies for the sites on the managed server, get support to manually update the certificates (as they were using it on some sort of cron job once an hour), then reenable the proxy.

We might just move the managed instance over here to XF Cloud, once we can afford it. I could run the forum myself hosted at an unmanaged server (and I do for numerous other sites) but, since I'm not always available 24/7, and it is a very busy and active site, the owner wants that safety net. It's busy enough that if issues happen, they happen fast, and happen large. (Thing is, I'm probably taking on another job where I'll be nowhere near a computer, plus, I travel where I'm away from a computer for days at a time. I can see his point.)

I guess we'll see how it plays out. Main thing is, the expired certificates caused us a lot of grief with Cloudflare in the mix. I'm going to be digging in to see if I can find a way to fix this, while we decide what to do host-wise.
 
Wildcat Media said:
Still going well, but the larger forum I admin is hosted at a larger managed server, where we don't have root access. Our LetsEncrypt certificates expired and made a mess out of everything. Unfortunately they don't accept outside certs (although since I've been there nearly 24 years, they probably could be convinced--they instead want you to buy their certificates), but I don't know what is different about their setup vs. my other sites which are unmanaged (both run on Apache), as mine update every 60 days like clockwork. And both are behind Cloudflare. I had to disable the proxies for the sites on the managed server, get support to manually update the certificates (as they were using it on some sort of cron job once an hour), then reenable the proxy.

We might just move the managed instance over here to XF Cloud, once we can afford it. I could run the forum myself hosted at an unmanaged server (and I do for numerous other sites) but, since I'm not always available 24/7, and it is a very busy and active site, the owner wants that safety net. It's busy enough that if issues happen, they happen fast, and happen large. (Thing is, I'm probably taking on another job where I'll be nowhere near a computer, plus, I travel where I'm away from a computer for days at a time. I can see his point.)

I guess we'll see how it plays out. Main thing is, the expired certificates caused us a lot of grief with Cloudflare in the mix. I'm going to be digging in to see if I can find a way to fix this, while we decide what to do host-wise.
Click to expand...
Cloudflare should continue working even with an expired cert because you have the option to tell it not to care about the expiration, just cares that the connection is encrypted.

The only time it cares is when you're using Full (strict) mode. In your case, since you can't automatically renew your certs, you should be using Full mode.
 
⭐ Alex ⭐ said:
Cloudflare should continue working even with an expired cert because you have the option to tell it not to care about the expiration, just cares that the connection is encrypted.
Click to expand...
Cloudflare works with an expired cert, but our server doesn't. That's a problem with the host, not us.
 
I have a test subdomain for a XenForo instance. I was using Zero Trust to block the entire subdomain.

However, I think I could block just the XenForo installation (installed in the subdomain's root) setting the "application domains" (aka application paths) as follows:

test.domain.com/index*
test.domain.com/admin*
test.domain.com/install*

...as these fields can accept wildcards.

Cloudflare says:

1703781243259.webp

So...this should work?


Somewhat related, I can't get a rule to work. I had deleted it a few weeks ago, but created a new one to replace it. But I can't get Zero Trust to block the subdomain I am using it on--I can access it from everywhere with no blocking.

The only difference is that this time, I used an access group with a list of emails vs. entering the emails individually. And, the same with staff IP addresses (which are used under a separate Bypass policy).

I am accessing the forum now, using a browser I haven't touched in a year, and a VPN to change my IP address, so I have a reliable means of testing it without any tokens being stored on the computer. Comparing to another rule, everything is set exactly the same.

Maybe the Access Group feature is broken? I am applying it correctly. The following "Assign a group" section appears when you add one or more access groups.

1703781688642.webp

And the group is defined as such:

1703781854431.webp

Yet, the problem I'm having is that the sudomain is not being blocked this time. So I can still access it from everywhere. It's not like everything is blocked, and no email or IP address will work.

I think it's a "me" problem (getting old sucks, folks) but for the life of me, I can't figure it out. I'll report back if I can get it fixed...
 
I'd say it's fairly safe to say that your Zero Trust Access rule is either not matching the request, or you have a different rule taking priority that is letting it through.

If Cloudflare's Zero Trust Access system simply stopped working as designed it would be pretty catastrophic to the security of the entire Internet (it would be better for Cloudflare to stop routing ALL network traffic until they fixed it if they had to).
 
digitalpoint said:
I'd say it's fairly safe to say that your Zero Trust Access rule is either not matching the request, or you have a different rule taking priority that is letting it through.
Click to expand...
I agree, there is something letting access through. I have only a single rule for this subdomain, and I'm not seeing why it won't work using a "clean" browser and a VPN (to rule out anything stored in a browser).

I only have the two policies--one works with email addresses, and the second bypasses based on IP. In two rules, they are in the same order, and the policies set up exactly the same, with the only difference being the Access Groups being used rather than individual emails or IPs.

One helpful thing I found is that we can go back and look at a log of our exact changes. It even includes showing what I deleted a couple of weeks ago. Once I'm in a clearer mindset, I may take a look at it.
 
Well, what I would do is simplify everything and slowly add individual things until you fnid the culprit. Like start with blocking test.yourdomain.com/zero-trust-test for everyone. Check if that works as intended, if it does add one more thing... like allowing one user to access it. Check that... etc, etc...

You will find which exact part is causing an issue as you add one thing at a time.
 
digitalpoint said:
Well, what I would do is simplify everything and slowly add individual things until you fnid the culprit. Like start with blocking test.yourdomain.com/zero-trust-test for everyone. Check if that works as intended, if it does add one more thing... like allowing one user to access it. Check that... etc, etc...

You will find which exact part is causing an issue as you add one thing at a time.
Click to expand...
Yeah, that's what I'm thinking also. 👍 And I might even start over again with a blank slate and add one piece in at a time to find out what is "leaking."
 
digitalpoint said:
You will find which exact part is causing an issue as you add one thing at a time.
Click to expand...
I realized that I had to set the test subdomain to "Proxy" rather than "DNS only" in DNS settings. I changed the setting yesterday and now it seems to be working.

I also found that I don't need wildcards for Zero Trust protection--on the test subdomain, I can simply use index.php, admin.php and install as paths, and those are all protected now.

For the LetsEncrypt renewal issue, though, I need to get on the hosting company about it. I can't be the only one using CloudFlare and LetsEncrypt. I have to see if they will accept outside certificates (vs. selling us one of their own for each domain and subdomain).
 
digitalpoint said:
Use Workers for your image proxy and URL proxy (doing this will give you a high-performance/free way to hide your server's IP address when it makes a request for images or URLs).
Click to expand...
Any pointer to configure to configure this?
Thanks for the tutorial.
 
You must log in or register to reply here.

Similar threads

C
  • Question Question
reCAPTCHA replacement via CloudFlare
Replies
1
Views
353
digitalpoint
digitalpoint
Sim
User being blocked from my site by Cloudflare
Replies
11
Views
441
⭐ Alex ⭐
⭐ Alex ⭐
newbNox
  • Solved
XF 2.2 Xenforo / Cloudflare timeout when importing style
Replies
6
Views
609
newbNox
newbNox
AndrewSimm
XF 2.2 externalDataUrl and non-friendly, friendly, and Cloudflare R2
Replies
4
Views
461
AndrewSimm
AndrewSimm
Artonn
DigitalOcean, Cloudflare and SES.
Replies
15
Views
1K
Wildcat Media
Wildcat Media
Top Bottom