[DigitalPoint] App for Cloudflare® 1.5.7

[sbj]

Thanks for the answer. Now it gives me a clear idea about the addon. The limiting of ACP access or internal_data access sounds very interesting.

About the referrer spam bots, I assume you blocked them by adding a rule on CF. My question would be how did you come up with that in first place? Probably experienced server admins have already such precautions but I am not a seaoned one when it comes to such things. And I am hearing about "referrer spam bots" the first time from you, so just curious about it in general. Like should we all have that? How did you notice that it is a huge problem (yeah, I don't read my server's logs , always better to ask people who know this stuff).

 

[digitalpoint]

Thanks for the answer. Now it gives me a clear idea about the addon. The limiting of ACP access or internal_data access sounds very interesting.

About the referrer spam bots, I assume you blocked them by adding a rule on CF. My question would be how did you come up with that in first place? Probably experienced server admins have already such precautions but I am not a seaoned one when it comes to such things. And I am hearing about "referrer spam bots" the first time from you, so just curious about it in general. Like should we all have that? How did you notice that it is a huge problem (yeah, I don't read my server's logs , always better to ask people who know this stuff).

It's unique for each site. Your server logs is your friend.

 

[eva2000]

Does the free plan of CloudFlare have anything particularly useful for someone like me? Just in general.

Cloudflare free plan benefits are tremendous for any site regardless if it's Xenforo or not. The only time CF Free plan isn't recommended really depending on your priorities are

1. If your server is in India or Australia and 100% of your visitors are in the same country as the server. CF free plans routing to India and Australia aren't as good as higher paid CF plans - as you move up in CF plans so does the network routing. I wrote on my blog benefits of Cloudflare Business plan which explains Cloudflare's CDN network prioritization as you move up from free to paid plans at https://blog.centminmod.com/2022/05/19/2794/what-are-the-benefits-of-using-cloudflare-business-plan/. But security you can configure from Cloudflare from your site is still beneficial just not the CDN performance part. But if you have traffic in other geographic parts of the world then yes Cloudflare CDN on free plan is worth it.

2. If your site is predominantly serving self-hosted videos/images in a larger proportion than your HTML assets due to CF's ToS 2.8 section https://www.cloudflare.com/terms/ titled Limitation on Serving Non-HTML Content. Supplemental Terms allow CF Workers, R2 S3 object storage to serve such non-HTML assets though as they're separately paid add on services separate from your CF plan. CF Enterprise plans do have the ability to negotiate what is further allowed though

The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.

But like @digitalpoint, I use Cloudflare for the past 11yrs in front of all my sites - couple hundred on Cloudflare free, pro, business and enterprise plans

If you're new to Cloudflare, register on their forums too https://community.cloudflare.com/. Disclaimer, since 2018 I'm also an official Cloudflare MVP https://community.cloudflare.com/t/cloudflare-mvp/36581 so you'd see some CF MVPs on the community that also help out

 

[eva2000]

About the referrer spam bots, I assume you blocked them by adding a rule on CF. My question would be how did you come up with that in first place?

That is also where Cloudflare paid pro and higher plans have benefits, they have more extensive traffic, cache and security firewall analytics you can inspect/filter to come up with patterns that you want to block and/or allow. But as @digitalpoint stated origin server logs also help. If you're using Nginx you can setup JSON formatted logging too. I wrote a guide for my Centmin Mod LEMP stack users at https://community.centminmod.com/threads/how-to-configure-nginx-for-json-based-access-logging.19641/

 

[RaptureForums]

Hi,
I noticed in the screen shots of this new add-on that the feature "Early Hints" was selected to be off. I was thinking of turning this feature on and wanted see if anyone else had any experience with it or not? I was wondering if it was recommended by other XF forum owners to turn it on?

I know of the isues with the Rocket Loader feature, so I am always hesitant to flip switches on the CF side of things.

Also, I think I am going to leave the Automatic Signed Exchanges feature off after seeing some comments that it might not be widely supported yet.

Does any one run into any trouble with Image resizing rules on XF? I have that off and thought about turning it on to see if that help speed scores any. What is your feeling about turning that feature on?

Also, I see DigitalPoint's two rules listed on the screenshot at the beginning of the thread. I don't have any rules on my CF account yet. As for the two rules are the asterisk marks at the beginning and end of the URL in the screenshot required?

Thank you for your help in advance.

 

[digitalpoint]

Hi,
I noticed in the screen shots of this new add-on that the feature "Early Hints" was selected to be off. I was thinking of turning this feature on and wanted see if anyone else had any experience with it or not? I was wondering if it was recommended by other XF forum owners to turn it on?

I know of the isues with the Rocket Loader feature, so I am always hesitant to flip switches on the CF side of things.

Also, I think I am going to leave the Automatic Signed Exchanges feature off after seeing some comments that it might not be widely supported yet.

Does any one run into any trouble with Image resizing rules on XF? I have that off and thought about turning it on to see if that help speed scores any. What is your feeling about turning that feature on?

Also, I see DigitalPoint's two rules listed on the screenshot at the beginning of the thread. I don't have any rules on my CF account yet. As for the two rules are the asterisk marks at the beginning and end of the URL in the screenshot required?

Thank you for your help in advance.

I don’t personally use Early Hints with XenForo installs, because Early Hints (and pushing page resources down the network before they are asked for) has some issues when the content is static and properly cached in the user’s browser. You aren’t waiting for the browser to tell you if it already has that file cached, instead you are sending regardless if the browser wants it.

So in a case where you can properly cache static files in XenForo, using Early Hints can be an overall slowdown. You save maybe 50ms on the initial page view for the user, at a cost of 200ms on every subsequent page view by pushing static content down that the browser doesn’t need.

 

[RaptureForums]

I don’t personally use Early Hints with XenForo installs, because Early Hints (and pushing page resources down the network before they are asked for) has some issues when the content is static and properly cached in the user’s browser. You aren’t waiting for the browser to tell you if it already has that file cached, instead you are sending regardless if the browser wants it.

So in a case where you can properly cache static files in XenForo, using Early Hints can be an overall slowdown. You save maybe 50ms on the initial page view for the user, at a cost of 200ms on every subsequent page view by pushing static content down that the browser doesn’t need.

Ok, thank you. I'll just leave it turned off then.

 

[digitalpoint]

Is there anyone using this add-on that is not using Cloudflare Workers on their Cloudflare account?

Specifically, looking for someone to test something new on a Cloudflare account that has not already picked a Cloudflare Worker sub-domain (you can tell by going to your Cloudflare account, going to "Workers" tab and see if it asks you to choose a subdomain). Looking for someone that has NOT chosen a subdomain yet (don't choose one if you check to see if it asks you).

 

[sbj]

I haven't installed this addon so far and as far as I know I don't have that Cloudflare setting enabled.

If you need a dummy for testing and nobody else has it offered yet, I am volunteering for it.

 

[Hoffi]

I am serving data and internal_data from my S3 with an own domain. Will this handled? I don't need the Firewall Rule for internal_data, but the others are good.

Really Aesome AddOn!

 

[digitalpoint]

digitalpoint updated [DigitalPoint] Cloudflare with a new update entry:

Adds ability to use Cloudflare Worker for XenForo image proxy

• Ability to use a Cloudflare Worker as a backend image proxy to hide the origin server's IP address when XenForo's image proxy fetches the image
• Some minor cosmetic tweaks to Cloudflare lists of things in admin area

IMPORTANT for existing users: The setup of the Cloudflare Workers image proxy system requires a new permission for the API Token you use, you can go to your Cloudflare...

Read the rest of this update entry...

 

[Chromaniac]

so i am not using cloudflare worker. have no idea what it is to be used for (except that it seems to be a requirement for r2 somehow).
do i need to add that additional permission considering i would not be using that feature?

 

[digitalpoint]

so i am not using cloudflare worker. have no idea what it is to be used for (except that it seems to be a requirement for r2 somehow).
do i need to add that additional permission considering i would not be using that feature?

No, you only need that permission if you want to use the new option for using Cloudflare Workers for XenForo's image proxy to prevent your origin server's IP from being exposed via XenForo's image proxy. If you have no need for that feature, you don't need the new permission.

The new permission is only used if you go to the new Image proxy page in the XenForo admin (with the other Cloudflare config pages). You will get an error about missing the required permissions if you go there without granting the permission, but if you never go there, it doesn't matter.

 

[ivp]

as you move up in CF plans so does the network routing. I wrote on my blog benefits of Cloudflare Business plan which explains Cloudflare's CDN network prioritization as you move up from free to paid plans at https://blog.centminmod.com/2022/05/19/2794/what-are-the-benefits-of-using-cloudflare-business-plan/

Cannot find any document stating there is a difference in Network prioritization between Free, Pro and Business plans.

https://www.cloudflare.com/plans/#overview shows this feature is included in Enterprise plan only.

 

[eva2000]

Cannot find any document stating there is a difference in Network prioritization between Free, Pro and Business plans.

https://www.cloudflare.com/plans/#overview shows this feature is included in Enterprise plan only.

It's on their blog too https://blog.cloudflare.com/bandwidth-costs-around-the-world/.

CloudFlare has always optimized where we serve customers to take into account our effective costs. If you are a free customer using an excessive amount of expensive transit, we would serve you from fewer regions.

But plan compare page listed without network prioritization on non-enterprise plans, also implies the same - that non-enterprise plans routing isn't prioritized as well.

 

[digitalpoint]

They have mentioned network prioritization on their SEC S-1 filing from 2019:

For clarification, when things are working normally at Cloudlfare, network prioritization is the same for Free/Pro/Business. When they talk about network prioritization on their SEC filing, they are talking about if a Cloudflare data center is overloaded, they will route traffic through a different data center based on the plan they are on. Let's say your servers are physically in Los Angeles, the origin traffic might normally be routed through Cloudflare's Los Angeles data center. If that data center is degraded for some reason, they might route the traffic for lower tier plans through San Diego (as an example) temporarily.

When things are running normally, Enterprise plans are the only plans that truly have different backend network routes by default. Lower tier plans can buy into those routes with Cloudflare Argo.

At least that's my understanding...

 

[ivp]

SEC filling from 2019 does not correspond to current plan compare page, since it does not show "Good" and "Better" network prioritization for Pro and Business plans, but lack of it.

At the same time their support claims "Higher plans will have higher Network prioritization, this would be depending of the availability of our data centers on specific locations, as there could be locations unavailable usually due to network congestion, maintenance or other issues."

 

[digitalpoint]

SEC filling from 2019 does not correspond to current plan compare page, since it does not show "Good" and "Better" network prioritization for Pro and Business plans, but lack of it.

At the same time their support claims "Higher plans will have higher Network prioritization, this would be depending of the availability of our data centers on specific locations, as there could be locations unavailable usually due to network congestion, maintenance or other issues."

The only one that will really be able to answer what they mean by "network prioritization" in any context is Cloudflare themselves. Maybe in 2019, they treated each plan differently as far as network prioritization if a data center was degraded, and now they treat Free/Business/Pro the same? 3 years is an eternity in the tech world, so things will change.

Personally, I wouldn't worry too much about "network prioritization" on a network that has 142 Tbps of capacity.


The largest DDoS attacks recorded barely get over 1 Tbps, so there's plenty of network capacity to go around (you wouldn't even notice if Cloudflare was getting hit with DDoS/network congestion because they have a crazy amount of capacity).

My guess is that their network capacity is so large now that they don't even need to do network prioritization anymore. But someday if they ever need to (like there's some DDoS attack that's 100x larger than anything else that's ever been seen and it takes out half the Internet, they would prioritize Enterprise plans).

But again... only they could really tell you that (and they probably won't).

Edit: Found this https://community.cloudflare.com/t/network-prioritization-on-enterprise-plan/86836

 

[ivp]

The quote above is from their support.

Their analytics displays a list of (European) data centers serving our pages.

Data center first in the list is further away from our visitors than the one our server is hosted in, making our website slower!?

 

[digitalpoint]

The quote above is from their support.

Their analytics displays a list of (European) data centers serving our pages.

Data center first in the list is further away from our visitors than the one our server is hosted in, making our website slower!?

Are you certain you know which "visitors" were routed through that data center? How do you know it wasn't a spider or something that actually was physically closer to that data center? There's also (a lot) more factors for best network routes for traffic vs. the closest physical data center.

You can see which Cloudflare data center every network request is routed through, so if you wanted to test routing differences between a Free vs. Enterprise plan, check iolabs.io (my site that is on a Free plan) vs. cloudflare.com (I assume they use their own Enterprise plan for their own site).

From my servers that are physically in Las Vegas, both requests are routed through their Seattle data center (no different for a Free plan):

twin1:~ # curl -I iolabs.io
HTTP/1.1 301 Moved Permanently
Date: Sat, 09 Jul 2022 17:40:42 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 09 Jul 2022 18:40:42 GMT
Location: https://iolabs.io/
Server: cloudflare
CF-RAY: 7282d8a77e8e6820-SEA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400



twin1:~ # curl -I cloudflare.com
HTTP/1.1 301 Moved Permanently
Date: Sat, 09 Jul 2022 17:40:45 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 09 Jul 2022 18:40:45 GMT
Location: https://www.cloudflare.com/
Set-Cookie: __cf_bm=V59hj1hbHahNMdENP0i5_1Cuudcplp8wuu8dxYRlylg-1657388445-0-AZAfFNc3e9f/sNqRL+AK4W2AXaUT/OP2u8XcfOH45GfgUFcLG3Xlz5cRzrNtkFoNuSzki0AflJonhU4hzpfOuZs=; path=/; expires=Sat, 09-Jul-22 18:10:45 GMT; domain=.cloudflare.com; HttpOnly; SameSite=None
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ECVWOXGWE38vR3Ppf23HsYoS4oj%2BwI4RrPQ7mF38h6x0Vx%2BficRvQ%2BS%2BYeK431gVD7qg6DG2CiTs93M9g3iC26ulqya7wRbSBqF3hhLU5G91cBU00T8f0bzTw9gcQOw3"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7282d8b638ca08a5-SEA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

From my computer at home (also in Las Vegas), both requests are routed through Los Angeles (also no different for a Free plan):

shawn@Panther ~ % curl -I iolabs.io
HTTP/1.1 301 Moved Permanently
Date: Sat, 09 Jul 2022 17:45:10 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 09 Jul 2022 18:45:10 GMT
Location: https://iolabs.io/
Server: cloudflare
CF-RAY: 7282df30bbfb0cdb-LAX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400





shawn@Panther ~ % curl -I cloudflare.com
HTTP/1.1 301 Moved Permanently
Date: Sat, 09 Jul 2022 17:45:22 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 09 Jul 2022 18:45:22 GMT
Location: https://www.cloudflare.com/
Set-Cookie: __cf_bm=d0jf_YqAKfU.54C7y3yFXdq1jAO.ZFJsFMAF.A914wc-1657388722-0-AfZn3IWDb3jZM66h5dT2PAQgZqeq/QFIwcQwDWK8JAzjbsV1byIRmjwo+HvYtvT5y7KaTtH9IRp7Kpr9j5zHKqU=; path=/; expires=Sat, 09-Jul-22 18:15:22 GMT; domain=.cloudflare.com; HttpOnly; SameSite=None
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fm8ccMIaHamB7%2BXb5GVTedTYq1yuYK3sa%2FlEEhy36rRD%2BbAOT5txIyUYz%2B7%2BJbbsUEQPIu%2BmAOUKQ7C1K9nFbTZFdc0%2BC5cttZHTjuCah6jBYEKMBxcs6Kp3uFIjkKa9hKn1UOL0TE20s7pt"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7282df78e88e7d68-LAX
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

All that and Cloudflare has a data center in Las Vegas. However, the networks that the data center is peered with doesn't necessarily make it the fastest data center to reach. My home Internet is via Cox and it's faster for them to connect to Cloudflare's Los Angeles data center. My servers are on a different network where the fastest connection is through Seattle.

So just because someone is physically closer to a data center, it doesn't necessarily mean it's faster to go there via the network.

Cloudflare uses Anycast for routing, which automatically routes the network request to the best data center automatically (and that may not be the one physically closest). Can read up on it if you are really bored: https://en.wikipedia.org/wiki/Anycast