Xenforo Proxy Service

[MySiteGuy]

If you use Cloudflare or another DDOS protection service, that service alone is not enough!

Your server's IP address will "leak" if your server sends email directly, users link to outside sites or users paste URLs of external images.

The first area, email: To protect your IP address from leaking through email, I recommend mxroute.com for smaller sites and Amazon Simple Email Service for larger sites. But no matter what you pick, don't deliver email directly from your server!

Our Xenforo Proxy Service takes care of the second area where your server's IP address leaks: fetching external resources. Both Xenforo's URL Unfurl and external image features result in Xenforo connecting to the outside resource. All an attacker has to do is register on your site and create a thread with an external link or image pointing to a server they control and they now have your server's IP address!

Our proxy service routes these fetches through one of our servers. An attacker will see our proxy's IP address instead of your server's IP address. This helps to prevent them from determining your server's IP address. In the event someone attacks our proxy, your forum stays operational!

The cost is $5/month with no hard fetch limits, for a single Xenforo installation.

We require you enable Xenforo's image proxy cache to avoid popular threads from continuously slamming the proxy. After you purchase, we will email you complete setup instructions.
See: https://driven2services.com/store/xenforo-forum-proxy-service.29/

 

[KensonPlays]

What would be the difference between using this and my Google Workspace business account for email?
We're hosted on a VPS with proxies enabled locally.

 

[MySiteGuy]

This is not for the email side of things. Its for protecting against IP address leaks from Xenforo's url unfurl and image linking features. Using Google Workspace, Amazon SES, or most other email providers protects from leaking IP addresses through email.

If your Xenforo is not setup in config.php to use an external proxy with something like below, then it is not protected:

$config['http']['proxy'] = 'http://proxyurloripaddress';

 

[KensonPlays]

This is not for the email side of things. Its for protecting against IP address leaks from Xenforo's url unfurl and image linking features. Using Google Workspace, Amazon SES, or most other email providers protects from leaking IP addresses through email.

If your Xenforo is not setup in config.php to use an external proxy with something like below, then it is not protected:

$config['http']['proxy'] = 'http://proxyurloripaddress';

Hmm, we're such low traffic, only 15 members at the moment, probably not a super high priority at the moment. But this is mostly for IP mitigation or?

 

[MySiteGuy]

It's there to prevent IP address leaks. Attempts to post links or images will leak at worst the proxy's exit IP address. If they attack that, we have it firewalled against inbound connections. Worst case if they hit the proxy with a massive enough DDOS attack to saturate it's firewall, your forum would still operate.

 

[oO5 Dynasty]

It's there to prevent IP address leaks. Attempts to post links or images will leak at worst the proxy's exit IP address. If they attack that, we have it firewalled against inbound connections. Worst case if they hit the proxy with a massive enough DDOS attack to saturate it's firewall, your forum would still operate.

Is this normal for websites?
I'm by no way an internet security expert at all, but shouldn't these potential harms be reported to xenforo staff.
I def would not know about these potential DDOS attacks, by members just linking an image.

Xenforo's url unfurl and image linking features

Just a basic website feature and function, can cause potential ip leaks

IP address leaks from Xenforo's url

 

[KensonPlays]

<snip>
We don't use CloudFlare (we run on a VPS, not shared hosting), but have the proxy turned on. Will we be at risk if its on? Or if we turn it off would we be at less risk?
Trying to see what the next few addons might be once we have the funds.

 

[MySiteGuy]

Is this normal for websites?
I'm by no way an internet security expert at all, but shouldn't these potential harms be reported to xenforo staff.
I def would not know about these potential DDOS attacks, by members just linking an image.


Just a basic website feature and function, can cause potential ip leaks

Xenforo is aware of this, and it's why they provide two ways around it:

1. Disable two handy features: Unfurl and image caching features.

Invision did this, completely removing their image caching. The risk there is if an external site deletes the image, the image is gone from the post. Remember when Photobucket did that? Xenforo's image cache saves your from that kind of awful situation.

2. Use a proxy service like I'm offering.

 

[MySiteGuy]

<snip>
We don't use CloudFlare (we run on a VPS, not shared hosting), but have the proxy turned on. Will we be at risk if its on? Or if we turn it off would we be at less risk?
Trying to see what the next few addons might be once we have the funds.

If you site is not behind a service like Cloudflare, Sucuri, etc., then this service will not be of use because your server's IP address is public and can already be attacked directly.

 

[MySiteGuy]

Is this normal for websites?

About this, yes, it's normal. Most software out of the box is going to leak the server's IP address if it does any external connections. WordPress, for instance, will leak IP addresses via email unless you install an SMTP add-on and route email through an external email provider.

I would say the bulk of forum, content management systems, e-commerce and blog software can leak IP address. It's not that they are bad or they have poor security. Rather, its that outbound connections are required for some basic functions, and DDOS protection is generally done though external service providers.

 

[hellreturn]

Invision did this, completely removing their image caching. The risk there is if an external site deletes the image, the image is gone from the post. Remember when Photobucket did that? Xenforo's image cache saves your from that kind of awful situation.

Are you sure about that? I thought that feature is still available in IPS.

 

[MySiteGuy]

Are you sure about that? I thought that feature is still available in IPS.

As of version 4.5.2 it was removed (Sept 2020). From their release notes:

"ImageProxy has been removed. On upgrade, there is an option to restore the original remote image links, or direct links to the cached image which will be retained."

 

[Lee]

Hi @MySiteGuy - is this compatible with xenForo cloud?

 

[MySiteGuy]

It requires adding a line to Xenforo's config.php file pointing to the proxy server. I don't think you can edit this directly with their cloud product. They might add the line for you, but I don't want to speak for them on this matter.

You'd also need to use Cloudflare (free) or other CDN in front of your forum if you aren't already.

 

[Black Horse Off Road]

This is not for the email side of things. Its for protecting against IP address leaks from Xenforo's url unfurl and image linking features. Using Google Workspace, Amazon SES, or most other email providers protects from leaking IP addresses through email.

If your Xenforo is not setup in config.php to use an external proxy with something like below, then it is not protected:

$config['http']['proxy'] = 'http://proxyurloripaddress';

how is it possible to work with https if it is a normal http proxy & how to setup an https proxy ? (will it work with cloudflare ssl or it will conflict?)

 

[MySiteGuy]

how is it possible to work with https if it is a normal http proxy & how to setup an https proxy ? (will it work with cloudflare ssl or it will conflict?)

It does not connect through Cloudflare... they are an inbound proxy. This is an outbound proxy. Your server outbound requests connects to my proxy, and my proxy connects to the outside server where the image is.