Fixed XF 2.3 is broken when Cloudflare's Rocket Loader is enabled

Moshe1010

Moshe1010

Well-known member
Affected version
2.3
It doesn't happen with XF 2.2, just with XF 2.3. It also doesn't break any other platform I'm using on the server (WordPress for example), just XF 2.3 for some reason.

It causes the following:

1. Impossible to rebuild templates/add-ons – It's stuck on "processing"

2. The editor is completely broken

3. Passkeys don't work (cannot log in to a user/admincp)
 
We are potentially looking at disabling Rocket Loader within XF itself. For now, yes, you will need to disable it manually.

If you do not wish to disable it site wide, you should be able to disable it just for your forum using page rules to exclude it only on certain URLs, e.g. https://xenforo.com/community/*
 
Would it be worth adding a page to the docs about optimised Cloudflare integration Chris?

For example, what you've just added would be very useful.

But additionally you could include any recommend WAF rules, for example adding a challenge to the ACP or anything else that would be worth configuring?

For example ensuring there's a managed challenge for the ACP to prevent brute force bot attacks, or even country restricting the ACP if you know you'll only ever log in from one country.

1721742625600.webp
 
Rocket Loader is (and always has been) a terrible idea for XenForo. It's not some magic thing that somehow makes a well designed site faster. What it's good for is when you have a poorly designed website, it can try to programmatically make some improvements to it when you are in a situation where you can't (or don't want to) make those improvements yourself. But none of those improvements are things that you can't make yourself.

More specifically, XenForo is not a poorly designed application, so Rocket Loader literally can't improve it. Think about it logically... you are asking a program to make changes to your JavaScript and how it loads because you think it knows how to do that for your site better than XenForo devs for their own application.

This is still valid:
digitalpoint said:
Rocket Loader sucks... Remember, Rocket Loader doesn't do some sort of magic that isn't possible to code yourself if you know what you are doing, so it's usefulness is limited to improving poorly written systems. XenForo is not a poorly written system, so even if it "worked" with XenForo, you really aren't able to improve much of anything. Again, it's not magic... the best it can do is try to rewrite poorly written code.
Click to expand...
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.1).

Change log:
Attempt to have Cloudflare Rocket Loader automatically ignore scripts
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 
Rocket loader makes more problems than it solves - even with WordPress.
Rocket loader makes baby Jesus cry. :)

RobinHood said:
Would it be worth adding a page to the docs about optimised Cloudflare integration Chris?

For example, what you've just added would be very useful.

But additionally you could include any recommend WAF rules, for example adding a challenge to the ACP or anything else that would be worth configuring?

For example ensuring there's a managed challenge for the ACP to prevent brute force bot attacks, or even country restricting the ACP if you know you'll only ever log in from one country.

View attachment 306895
Click to expand...
My 2c on XenForo security (via Cloudflare):
io.bikegremlin.com

XenForo forum installation, securing, and configuring | BikeGremlin I/O

How I’ve installed, secured, and configured my forum using the XenForo software.
io.bikegremlin.com io.bikegremlin.com
 
In 2.3.1 we add data-cfasync="false" to scripts when we detect a Cloudflare origin IP, or the behavior can be explicitly controlled via $config['disableRocketLoader']. It can be turned off if you already have Rocket Loader disabled globally, but given the number of people who have run into issues we figured it best handle automatically.
 
RobinHood said:
I just came across your article on Zero Trust for WP in a google search, nicely done :)
Click to expand...

Thanks.
I wrote down everything that I needed to run my cycling/mechanics website and put it on a separate site, so that I can do it again easily, even if I forget everything. :)
When I started running a forum, I also made sure to write things down on that "IT" site - for the same reason.
 
Back
Top Bottom