[DigitalPoint] App for Cloudflare®

[DigitalPoint] App for Cloudflare® 1.8.2

No permission to download
Overview FAQ Updates (51) Reviews (19) History Discussion
Well, security level is more for mitigating things like bots looking for exploits. All but the tiniest/undetectable DDoS attack is going to be blocked regardless of your security level.

That being said, you can also fine tune your security level (if you haven't already done so) with Configuration Rules. For example maybe you want to override Security Level to be Essentially Off if the visitor is logged into an account or they are in US or Canada (just showing examples of what you could do... only you are going to know what mitigates your DDoS attacks).

1674315302084.webp

I'd guess someone trying to DDoS attack you isn't doing so from a registered/logged in user account on each request.

You can also do the logic in reverse... like maybe default security level to Essentially Off, but then crank it up in certain cases... for example if a the request is coming across Tor.

Anyway, lots of different things you can do with Configuration Rules if you aren't already.
 
Yes, that is my point. You can use rules in lots of ways to block malicious users. hackers, spammers, trolls, etc. However, it would be useful to see which xf members are getting hassled or blocked by these. That visibility would allow us to fine tune the rules instead of being blind to it.
 
Well the problem is if they are blocked, the request never gets to the application (XenForo), so we don't know who they are (as a user). If they are blocked, it's usually based on IP, so if that user's HTTP requests that use that IP never get logged by XenForo (since the request never made it to XenForo), there's not a way to know which user made the request. You would be limited to using the IP address of the Cloudflare event log, which isn't going to correlate to an IP that existing users used normally because XenForo never saw the request (you aren't able to pull things like cookies from request in the event log).
 
^^but can you pull any such insights in from CF? i.e., filter on cookie (logged in), and any CF blocks users may be receiving.
 
digitalpoint said:
Well the problem is if they are blocked, the request never gets to the application (XenForo), so we don't know who they are (as a user). If they are blocked, it's usually based on IP, so if that user's HTTP requests that use that IP never get logged by XenForo (since the request never made it to XenForo), there's not a way to know which user made the request. You would be limited to using the IP address of the Cloudflare event log, which isn't going to correlate to an IP that existing users used normally because XenForo never saw the request (you aren't able to pull things like cookies from request in the event log).
Click to expand...
That depends on the configuration. If they are not blocked but get a challenge instead, then they will likely pass.
 
Well you aren’t going to get great data based purely on IP. You could probably look to see if the cf_clearance cookie exists on the request and do whatever you want to do at that point (like log it). But trying to correlate purely on IP is going to give you a lot of false positives as well as false negatives.
 
AndrewSimm said:
Has anyone got the courage to delete their local files after moving to R2?
Click to expand...
I did and it worked. I had one add-on that keeps stuff in data so I couldn't delete the whole thing, buts an old add-on. Deleting all the default folders worked. I did move them to .old first. just to see what would happen. So far so good.
 
I haven’t run into any problems with R2 whatsoever myself. Cloudflare isn’t exactly a low end web hosting provider. They have close to 300 data centers and data is replicated to multiple.

blog.cloudflare.com

Announcing Cloudflare R2 Storage: Rapid and Reliable Object Storage, minus the egress fees

Introducing Cloudflare’s S3-compatible Object Storage service, with zero egress bandwidth charges and automatic migration from S3-compatible services.
blog.cloudflare.com blog.cloudflare.com

The core of what makes Object Storage great is reliability — we designed R2 for data durability and resilience at its core. R2 will provide 99.999999999% (eleven 9’s) of annual durability, which describes the likelihood of data loss. If you store 1,000,000 objects on R2, you can expect to lose one once every 100,000 years — the same level of durability as other major providers. R2 will be resistant to regional failures, replicating objects multiple times for high availability.
Click to expand...

Now that doesn’t mean a user couldn’t accidentally delete an attachment or an avatar or something else unintentionally. If they have the permissions to do so, and they do… it’s gone just as if it was local storage.

I’ve actually been thinking about that and how many times a user deleted something that was so important I needed to go fish through a backup to retrieve it. It’s been exactly zero times ever spanning multiple decades and multiple sites. And there really isn’t anything so mission critical that I’m thinking about even foregoing backing up data that resides in R2. I can live with one avatar or attachment per 1,000,000 being lost every 100,000 years on average.

Your data might be more important than mine though… 🤷🏻‍♂️
 
Question: Since enabling the guest cache (I believe this to be the cause but cannot fully confirm), users are getting in Edge and Firefox (but not Chrome):

The active user has changed. Reload the page for the latest version.

On the forum index.

I am able to reproduce the issue fairly easily by exiting the browser and reloading the browser.

F5 or Ctrl-F5 seems to resolve the issue until I close the browser and re-open the main page again.

Is there a workaround or fix for this?

Update: Disabling the guest page cache seems to oddly enough resolve the issue. It looks like the forum does not recognize they're logged in until they refresh when it is turned on.
 
Last edited:
It's a long standing issue with service workers in some browsers. The service worker process (is what XenForo uses to do trickery like show you a message if the website is offline) intercepts some fetch() requests, makes sure the site is online, if it's not, serve up a message about it (it does other things too, but that's an example.

Anyway, the service worker is typically a background process that runs in the browser even when the site isn't open in a browser window (this is important for the context of the browser bug/issue).

Now... if a browser is closed and then reopened, the service worker process restarts from scratch, and this is where you see the issue. The service worker process doesn't include any cookies on it's first HTTP request for some bizarre reason, but does on subsequent requests. It's been an issue for a long, long time in browsers, but that's what you are seeing... the service worker than XenForo uses sends it's first request (again, only when the entire browser starts fresh) sends it with no cookies (and no logged in user).

Like I said, there's been a ton of discussion about it in different products and browsers, but it ultimately comes down to the same issue (that the service worker is no including cookies in it's first request when the browser restarts):

github.com

Cookies missing on very first request if website has service worker with fetch event handler · Issue #382 · ghostery/ghostery-extension

Description If a website has a service worker with a non-trivial "fetch" event handler (i.e. it doesn't just do nothing but uses the Fetch API to return a response) then the very firs...
github.com github.com

1286367 - chromium - An open-source project to help move the web forward. - Monorail

bugs.chromium.org bugs.chromium.org

I've been trying to figure out a workaround for it, but so far I have nothing since it's fundamentally a browser issue.
 
This is the best explanation I've ever heard about this issue. I have just disabled guest cache for now until there is some workaround. From my benchmarking there is very little discernable difference as the rest of the content is still heavily being cached and I also started using Better Analytics + the FontAwesome add-on. I think primarily most of the page rendering issues people may have had globally have already been solved. It would be nice to have, but its not a deal breaker if its a browser design flaw. Thank you.
 
Hi,

When I uploaded attachments through articles and I copied & paste them into an email or post on different forums, it doesn't show up. Has this something to do with CF? Some forums would show my attachments copied directly and others wouldn't. Don't really know the cause of this. I'm guessing it has to do with proxy or cache ?
 
digitalpoint said:
Copy/pasting an image shouldn’t be affected by Cloudflare if that’s what you are doing
Click to expand...
Well, I wrote a newsletter, used attachments, copied and pasted it to a different forum and those images appear as a red cross.

Same with /promotional dir where I have uploaded promotional signatures.

No hotlink is enabled though.
 
Ya not sure… hard to say what’s going on without a URL where you see it.

But to answer your question, this addon is not going to do what you are seeing. All it does it manage Cloudflare settings. If you have Cloudflare setup to do something like that you will want to fix it in your Cloudflare account.
 
Last edited:
digitalpoint said:
Ya not sure… hard to say what’s going on without a URL where you see it.

But to answer your question, this addon is not going to do what you are seeing. All it does it manage Cloudflare settings. If you have Cloudflare setup to do something like that you will want to fix it in your Cloudflare account.
Click to expand...
Well I was hoping you'd know what setting it was that caused this. But thanks, I'll look into it.
 
You must log in or register to reply here.

Similar threads

N
[DigitalPoint] App for Cloudflare® - FRENCH translation
Replies
8
Views
852
Ozzy47
Ozzy47
digitalpoint
App for Cloudflare (appforcf.com)
Replies
12
Views
1K
securedme
securedme
Top Bottom