Legit Members getting blocked by CloudFlare on /preview /edit-save /save-draft

[Alpha1]

Since switching to CloudFlare I have been getting feedback from ranking members that they get infinite captchas on the following pages:

/edit-save
/preview
/save-draft

When looking in the cloudflare admin panel I see that the above pages trigger about 30 rules.
What makes the issue more problematic is that often the CloudFlare popups appear in XenForo modals and html is shown instead of a normal page.

I know this is essentially a CloudFlare issue. Though its not unique to CloudFlare: we had a very similar issue with StackPath (Formerly MaxCDN) captchas & html in xenforo modals.

Of course guests and new members are less likely to report such issues and I don't know if there are other pages triggering the same. It's likely a lot stays under the radar as people generally just go away if they encounter issues. So its unknown how many valid users are getting blocked by CloudFlare.

Does anyone have any idea how to address this? Or what may cause this?

I am using XF1.5.21 on centminmod /PHP7.2.8

I know that I need to address this with CloudFlare about this as well, but they seem oblivious about XF. As many XenForo sites as well as XenForo.com is using CloudFlare I am wondering what others think or have experience with.

 

[Xon]

I use page rules to only have some parts of the site (login/registration/etc) on 'high' settings while everything else is a lower security threshold

 

[DragonByte Tech]

mod_security has similar issues, I've had to disable a whole bag of rules to make it work on vB and XF.


Fillip

 

[eva2000]

using Cloudflare with Centmin Mod too for my forums and don't think i ran into such issue. But depends on your type of visitors/members you have on your forums I guess. What security level do you have set in Cloudflare ? I set mine to Medium

What Security Level should I select?
The Security Level you choose will determine which visitors will be presented with a challenge page. We recommend starting out at Medium.

• Essentially off: Challenges only the most grievous offenders
• Low: Challenges only the most threatening visitors
• Medium: Challenges both moderate threat visitors and the most threatening visitors
• High: Challenges all visitors that have exhibited threatening behavior within the last 14 days
• I’m Under Attack!: Should only be used if your website is under a DDoS attack
  • Visitors will receive an interstitial page while we analyze their traffic and behavior to make sure they are a legitimate human visitor trying to access your website

Note: I’m Under Attack! may affect some actions on your domain. For example, it may block access to your API. You can set a custom security level for any part of your domain using Page Rules.

Additional Resources
What does Cloudflare's Security Level mean?

but like @Xon stated, you can have page rules setup for those specific urls to have a low or no challenges seeing as they're already members or need to be to edit posts etc.