CloudFlare Page Rules

Ntown

Well-known member
For xf 2.x, what are the three must-have default Cloudflare Page Rules that everyone should be using?

Odd that there's no real definitive guide on this (that I can find anyway).
 

JulianD

Well-known member
I know the following rules are not for everyone but those two are a must for me. Since I host all my files in DigitalOcean Space, when a user request an attachment, the server has to go to the Space bucket, download it and then serve it back to the client. For a lot of my threads, users tend to upload between 10 and 20 images per posts and this would put a pressure to the server that I'm not comfortable with.

So I created this set of rules to fix that problem:


But be warned: any private attachment from private forums and private conversations will be cached as well.
 

digitalpoint

Well-known member
Edge caching attachments will cause you to lose some XenForo functionality. Specifically, attachment view counts as well as varying attachment permissions for different user groups (if you have any).

These are the 3 Cloudflare Page Rules I use:

1597427727518.png

I ended up disabling the styles and js rules because that can be achieved with a properly configured web server. CSS is the only one that is really needed because Cloudflare will not cache a request with a php extension unless you force it to with a page rule.
 

arn

Well-known member
I know the following rules are not for everyone but those two are a must for me. Since I host all my files in DigitalOcean Space, when a user request an attachment, the server has to go to the Space bucket, download it and then serve it back to the client. For a lot of my threads, users tend to upload between 10 and 20 images per posts and this would put a pressure to the server that I'm not comfortable with.

So I created this set of rules to fix that problem:



But be warned: any private attachment from private forums and private conversations will be cached as well.

The main one I'd add is www.domain.com/data/*

for avatars and thumbnails.,
 

digitalpoint

Well-known member
The main one I'd add is www.domain.com/data/*

for avatars and thumbnails.,
Avatars and thumbnails have file extensions that are cacheable by Cloudflare, so it's not necessary to create specific page rules for them as long as your web server is configured properly.

For Nginx, I use this in the config (which in turn passed through by Cloudflare and causes things to be cached at the edge for a year without needing to use up any of your Cloudflare page rules):

NGINX:
 location /data/ {
                add_header Cache-Control "public, max-age=31536000";
        }
        location /js/ {
                add_header Cache-Control "public, max-age=31536000";
        }
        location /styles/ {
                add_header Cache-Control "public, max-age=31536000";
        }
        location /favicon.ico {
                add_header Cache-Control "public, max-age=31536000";
        }
        location ~ \.(svgz)$ {
                add_header Content-Encoding "gzip";
                add_header Vary "Accept-Encoding";
                add_header Cache-Control "public, max-age=31536000";
        }
 

Ntown

Well-known member
Security High in admin might cause you some problems with saving templates.

It's also possible this can become a problem with regular posting if people are posting what looks like code.
I actually noticed that when I posted. I disabled Security altogether for Admin and set it to Essentially Off sitewide. Thanks.
 

digitalpoint

Well-known member
Maybe I’m confused... but either way, no... don’t see a reason for page rules for the admin area. If you use Cloudflare Access (what I was talking about originally), it more or less puts the admin area behind a firewall.
 

Ntown

Well-known member
Ahhh, it was my mistake. I misread your response and the last one clears it up.

If Access was free past Sept. 1, I'd absolutely use it. However...

this is a brand new forum and I live in a country not known for spammers (I see very, very few instances of this country code in my CSF logs for trigger LFD DENY). So I just have /admin* set to BLOCK every country but mine. Pretty damned effective for free, don't you think?

Question: do any of you guys know of someone who has an effective way to use 2FA to reach apps? Or everyone just uses Cloudflare Access if they want that?
 

digitalpoint

Well-known member
I believe Access is free for 5 or less users (even past September 1). Their verbiage is a little confusing about it, but it reads that way to me.

1597596619974.png
 
Top