[DigitalPoint] App for Cloudflare® 1.8.2

[digitalpoint]

View attachment 280121

Weird (and not sure if helpful) but on this particular existing advert slot, if I remove both <script> references, it will then save. Curious, I then went to the Page Container template since I know it has multiple file references and tried to edit it and get the same error. If I go something else within the CP to edit like a reaction, phrase, etc... they all save fine without issue.

That looks like a permission issue on the web server itself. The request never makes it to XenForo (otherwise you would see a message from XenForo, but that HTML isn't a XenForo error, that's a LightSpeed error). LightSpeed isn't even passing the request to the application (XenForo) it looks like.

Are you still getting the error? Maybe it's transient and the web server worked itself out somehow?

 

[Svoboda]

That looks like a permission issue on the web server itself. The request never makes it to XenForo (otherwise you would see a message from XenForo, but that HTML isn't a XenForo error, that's a LightSpeed error). LightSpeed isn't even passing the request to the application (XenForo) it looks like.

Are you still getting the error? Maybe it's transient and the web server worked itself out somehow?

Yep, still getting it. I will reach out to my host. It's shared hosting so it is definitely possible they have changed something.

 

[digitalpoint]

Changing the name/logo of the add-on to be sure I'm on the right side of Cloudflare as far as trademarks go.

Have been tossing around the idea of a WordPress version, at which point there would be a lot more users. So better to get ducks in a row before that (if it) happens.

If anyone wants to think of a better name, feel free. Not exactly the most amazing name. haha

 

[Chromaniac]

please post here whenever you end up releasing the wordpress addon!

 

[digitalpoint]

It's a long ways off. First of all, I hate WordPress and I hate coding for it. I also don't really use WordPress beyond a couple decades old sites I just keep for archive purposes, so it's hard to really get into something I don't need myself.

That being said, there technically is a plugin. It's just not ready to even be enabled yet though (much less do much of anything useful). hah



If I ever get it done, I'm sure I'll mention it here.

 

[JoyFreak]

Found a bug: having the option “Registration & contact forms are an overlay” enabled or disabled doesn’t have an effect on the contact form. Opens in new page either way.

 

[digitalpoint]

Ick... it's been fixed for next version.

 

[Mike Fara]

In the admin.php I am getting some annoying issues where I can't update the PAGE_CONTAINER template. When I go to submit and hit F12, I get a 5** error and:

       <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2>

            <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p>
          </div>

          <div class="cf-column">
            <h2 data-translate="blocked_resolve_headline">What can I do to resolve this?</h2>

            <p data-translate="blocked_resolve_detail">You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.</p>
          </div>
        </div>

I have tried to set page rules to disable the security for the admin section, but alas I am locked out from making edits I need to make.

 

[digitalpoint]

Check your Cloudflare settings (specifically under Cloudflare dashboard -> Security -> Settings. It sounds like you might have your Security Level on your zone set too high. Unless you have a specific reason to do otherwise, set it to Essentially Off. Basically the higher you set it, the more problems you are going to cause for yourself and users.

Personally, I have 27 zones/sites in my Cloudflare account, and not a single one is set to anything other than Essentially Off.

In your case, Cloudflare sees you submitting a form that contains the PAGE_CONTAINER template (which is a whole lot of HTML and JavaScript). If that was a "normal" form like a post or something, it could be someone trying to inject code into your site via an exploit so based on your Security Level settings, you were blocked based on the content of the form you were submitting.

Like I said... unless you have a reason to do otherwise, stick with Essentially Off. Mostly (not entirely, but mostly), the Security Level is there to protect users from websites that are full of exploits. XenForo is not that, so you end up outsmarting yourself when you are doing things like editing templates with code in it.

 

[Mike Fara]

Check your Cloudflare settings (specifically under Cloudflare dashboard -> Security -> Settings. It sounds like you might have your Security Level on your zone set too high. Unless you have a specific reason to do otherwise, set it to Essentially Off. Basically the higher you set it, the more problems you are going to cause for yourself and users.

Personally, I have 27 zones/sites in my Cloudflare account, and not a single one is set to anything other than Essentially Off.

In your case, Cloudflare sees you submitting a form that contains the PAGE_CONTAINER template (which is a whole lot of HTML and JavaScript). If that was a "normal" form like a post or something, it could be someone trying to inject code into your site via an exploit so based on your Security Level settings, you were blocked based on the content of the form you were submitting.

Like I said... unless you have a reason to do otherwise, stick with Essentially Off. Mostly (not entirely, but mostly), the Security Level is there to protect users from websites that are full of exploits. XenForo is not that, so you end up outsmarting yourself when you are doing things like editing templates with code in it.

Thanks @digitalpoint . Turns out I just had to whitelist my IP and its all good right now. TY for the awesome add-on as well. It truly is fantastic.

 

[digitalpoint]

Ya, that was going to be my next suggestion... if you can't lower your security level for some reason (although if you are running just XenForo, I'd say you don't need a high security level), you can whitelist by various things (including IP).

 

[Mr. Jinx]

Just an idea... I read your Cloudflare optimization topic which is very helpful.
Why don't you merge these recommendations into this add-on?

For example, in ACP -> Cloudfare -> Settings -> 0-RTT Connection Resumption
If you could add a description, which setting is recommended, that would be awesome.

 

[digitalpoint]

Ya, was thinking about adding an “Easy Mode” button that does some auto config for people.

 

[Mike Fara]

While not exactly plugin related, has anyone seen the issue where someone attempts to post something and they get "Oops. We ran into some problems." It looks like they may be getting an invisible challenge or otherwise being blocked by Cloudflare from posting, but I can't for certain find it in the security logs.

 

[digitalpoint]

Probably the same issue you had in the admin where you set your security level for the zone too high. Users can’t answer challenges on HTTP requests that are things like AJAX requests in this case. Like I said before, I’d set it to Essentially Off and then move it from there if you have a specific reason to. The higher you set it, the more problems you will have for yourself and users.

 

[Mike Fara]

Probably the same issue you had in the admin where you set your security level for the zone too high. Users can’t answer challenges on HTTP requests that are things like AJAX requests in this case. Like I said before, I’d set it to Essentially Off and then move it from there if you have a specific reason to. The higher you set it, the more problems you will have for yourself and users.

I fixed it by setting to lowest security setting (Essentially Off) and disabling the WAF managed rulesets. This seems to have fixed it instantly.

May I ask one more thing. For the R2 data bucket, what folders from data/ are supported out of the box? Id like to clean up some of this from the server and reduce storage usage. What I did was use rclone to move the whole dir, but I'm not confident which folders/subdirs are supported by default.

 

[digitalpoint]

Everything in data is supported.

 

[Alpha1]

One thing that I would find extremely useful is an overview of XF members that hit a WAF rule, challenge or block. CF is great to mitigate threats, but it can also greatly bother your users without you knowing. And thus cause you loss of activity. I had one user complain that he got a challenge on every page load. I was happy that he sent me a convo, because otherwise I would have lost this member. I'm sure there are more like him, but thats impossible to find as there currently is no way to see which users are xf members in CF events.
It would be great to be able to see which members encounter cloudflare hurdles and why.

Is this or something alike something you would be interested to add?

 

[digitalpoint]

Well it’s kind of back to the security level thing. Besides annoying users and making your site not work as expected, what exactly is your reason for wanting to set it to a level beyond Essentially Off? Even though it’s called “security” it’s not really what it is. It’s more like “how many challenges do you want to present to users when you aren’t asking for one?” A little, a medium amount, a lot or an absurd amount…

XenForo already has captchas where needed, so what you are doing it adding them in random places you aren’t intending them to be.

 

[Alpha1]

Basically years long persistent DDoS large enough to take part of my country down. My previous host kicked me out because too many companies were getting angry with them for allowing part of the country to go down. They asked me which country regime I angered as this level of attack was way beyond the scope of any regular actor.

I did get a lot of help from @MattW , @Xon @eva2000 , @AzzidReign to get it all sorted for which I am really thankful.

Fail2ban CF integration combined with advanced WAF tuning has resolved the situation, but I'm really carefully balancing between blocking malicious users and trying not to bother valid users.