[DigitalPoint] Cloudflare

[DigitalPoint] Cloudflare 1.3.0

No permission to download

AzzidReign

Well-known member
I downloaded a backup, it downloaded as "admin.php" with 0kb of data and 0 lines of data. Is there something that needs to be done specifically to be able to download aside from clicking download?

Also, any advice on a cf rule - I have users with massive tutorial threads and they always need me to update them bc the firewall always gets triggered, having them confirm they are human, but once confirmed, the page gets all screwed up and they aren't able to edit their thread. I'm not good at figuring these things out so if you have any advice, I'd kindly appreciate it.
 

digitalpoint

Well-known member
I downloaded a backup, it downloaded as "admin.php" with 0kb of data and 0 lines of data. Is there something that needs to be done specifically to be able to download aside from clicking download?
No, that's it. If you are getting what you are seeing, my guess is that something is intercepting the request upstream (maybe Cloudflare itself if it's trying to verify you are a human for example).

Also, any advice on a cf rule - I have users with massive tutorial threads and they always need me to update them bc the firewall always gets triggered, having them confirm they are human, but once confirmed, the page gets all screwed up and they aren't able to edit their thread. I'm not good at figuring these things out so if you have any advice, I'd kindly appreciate it.
It'd check the Security Level for your Cloudflare zone... if you have the security level higher than is necessary, you'd see both of those things (real humans needing to verify they are human and things like downloads not working because there's something the user needs to do to verify they are human, but the user never sees it).

Your best option with the zone's Security Level is to set it to the lowest option, and then raise it as needed (if you need it). Working the other way around (setting it higher than necessary) will cause unnecessary problems. As an example, all my sites are set to Essentially off, except when there's an active attack happening, then it's raised as necessary temporarily.
 

AzzidReign

Well-known member
No, that's it. If you are getting what you are seeing, my guess is that something is intercepting the request upstream (maybe Cloudflare itself if it's trying to verify you are a human for example).
I'm whitelisted as well as our server so it's weird if it's trying to verify my downloading it. :/
It'd check the Security Level for your Cloudflare zone... if you have the security level higher than is necessary, you'd see both of those things (real humans needing to verify they are human and things like downloads not working because there's something the user needs to do to verify they are human, but the user never sees it).

Your best option with the zone's Security Level is to set it to the lowest option, and then raise it as needed (if you need it). Working the other way around (setting it higher than necessary) will cause unnecessary problems. As an example, all my sites are set to Essentially off, except when there's an active attack happening, then it's raised as necessary temporarily.
Ok, I have mine set to low. I've tried setting up a page rule with:

And set everything I could find for security measures to off, including security and browser integrity checks and still get an error. And it's only on a thread that's extremely large like this one:

Any other thread of normal size doesn't get the error.

As I typed this up and tested a bunch of stuff, I set the security to "essentially off" and still getting complaints. Unless it takes a while to update, I have 2 people (moderators) who've confirmed they still can't edit the large threads.

This is what they are seeing.

e1aff1a19960b907fbc74c4ee7db83f4.png
 

digitalpoint

Well-known member
Ya that’s a Cloudflare security issue from the page source. Why it’s getting triggered, I’m not sure though. I’d go through everything. You can override security with Page Rules for example (maybe something is setting it high on a per request basis?)
 

AzzidReign

Well-known member
Ya that’s a Cloudflare security issue from the page source. Why it’s getting triggered, I’m not sure though. I’d go through everything. You can override security with Page Rules for example (maybe something is setting it high on a per request basis?)
Thanks for the insight. I'll take a look around.
 

WoodiE

Well-known member
@digitalpoint it's been said some day XF is going to include Cloudflare Turnstile support, but any chance you'll be rolling your version out with this plugin?
 

nodle

Well-known member
@AzzidReign I don't know if you got this fixed or not, but check under security and see if you have 'Browser Integrity Check' enabled, I think it can produce some of the things I am seeing above in your photo.

What is Browser Integrity Check?​

Browser Integrity Check looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a block page.

Note: Browser Integrity Check may affect some actions on your domain. For example, it may block access to your API. You can selectively enable or disable this feature for any part of your domain using page rules.
 

digitalpoint

Well-known member
@digitalpoint it's been said some day XF is going to include Cloudflare Turnstile support, but any chance you'll be rolling your version out with this plugin?
Probably not to be honest. I have it working on my end, but I’m waiting for next version of XenForo that has Turnstile built in so I can figure out what I need to remove from my addon before I release it (I’m going to support some stuff that won’t be in the default XF implementation like using the API to set up the Turnstile site in Cloudflare).

Doesn’t really make sense to release it now knowing that any day XenForo’s implementation is coming out. Then I have to write updater code to switch users from my implementation to XenForo’s. I’d rather keep it simple. 😀
 

WoodiE

Well-known member
Probably not to be honest. I have it working on my end, but I’m waiting for next version of XenForo that has Turnstile built in so I can figure out what I need to remove from my addon before I release it (I’m going to support some stuff that won’t be in the default XF implementation like using the API to set up the Turnstile site in Cloudflare).

Doesn’t really make sense to release it now knowing that any day XenForo’s implementation is coming out. Then I have to write updater code to switch users from my implementation to XenForo’s. I’d rather keep it simple. 😀
Understood and it makes sense on your part for sure. I just don't have the same feeling of "any day" ;)
 

digitalpoint

Well-known member
If you want to do something in Cloudflare based on a decision fail2ban makes, you would need to do it the other way around... fail2ban would need to be the thing triggering the action. I don't know the ins and outs of fail2ban, but how exactly would the addon get notified of things fail2ban is doing? If fail2ban has a notification system, it probably makes more sense to hook directly into that to do whatever action in Cloudflare you want to do.
 

madness85

Active member
If you want to do something in Cloudflare based on a decision fail2ban makes, you would need to do it the other way around... fail2ban would need to be the thing triggering the action. I don't know the ins and outs of fail2ban, but how exactly would the addon get notified of things fail2ban is doing? If fail2ban has a notification system, it probably makes more sense to hook directly into that to do whatever action in Cloudflare you want to do.
Think I did ask you about this before? My memory is a little bad lol.

I have it setup similar to this https://technicalramblings.com/blog...ion-with-automated-set_real_ip_from-in-nginx/

This issue I'm having is that the IP bans aren't showing in your addon. I actually need to login to cloudflare to remove the ban.

I would love everything to be controlled via your addon, but I'm not sure on what to do.
 

digitalpoint

Well-known member
If you want IP blocks to show up in the addon, when you create them, make sure you are creating the IP block in Cloudflare being for the website's zone (domain). IP blocks that are global (for your entire Cloudflare account/all domains), won't show up in the add-on. It's intentional because there are cases where someone might have 100+ domains, and having all the rules for all the domains mixed into the add-on's interface for the one website gets to be very convoluted trying to find a specific rule for the zone.
 

madness85

Active member
If you want IP blocks to show up in the addon, when you create them, make sure you are creating the IP block in Cloudflare being for the website's zone (domain). IP blocks that are global (for your entire Cloudflare account/all domains), won't show up in the add-on. It's intentional because there are cases where someone might have 100+ domains, and having all the rules for all the domains mixed into the add-on's interface for the one website gets to be very convoluted trying to find a specific rule for the zone.
So I would need to create an api key for each website (not global) on cloudflare and somehow edit cloudflare-apiv4.conf to send to them individually?
 

digitalpoint

Well-known member
So I would need to create an api key for each website (not global) on cloudflare and somehow edit cloudflare-apiv4.conf to send to them individually?
You can create a scoped key (just specific permissions) that spans multiple zones (domains). That’s probably your best option so you don’t need one for every domain.

No clue what cloudflare-apiv4.conf is though, so can’t help much there.
 
Top