Best free option to protect discourse from many requests

Search here for “cloudflare problem”. It is quite possible to make it work, but it is not simple.


I use cloudflare with multiple Discourse installs, it works perfectly fine.

My setup is Cloudlare > nginx reverse proxy > LXD > Docker > Discourse

1 Like

Can you show me this domains ?

You can use Cloudflare as DNS and a cache for /uploads, but if any of their caching or “optimisation” features are touching the page then you’re completely unsupported here.

There are a long list of Cloudflare tweaks which break discourse in new and interesting ways.

Either way Cloudflare is a tangent, as indicated above the error being discussed is very likely due to nginx not receiving origin IPs. Let’s deal with the root cause rather than slap a bandage on a symptom.


I have no reverse proxy, in fact i use cloudflare but to manage the dns as the team here recommended to keep the cloud gray.

You need to determine what’s causing the nginx rate limit to kick in. If your Discourse is correctly configured the only reason you should see that message is if there are a large number of users sat behind a single IP. Cloudflare can’t do anything to mitigate that kind of traffic either.

Discourse isn’t a website, it loads a javascript payload into the browser, putting another hop in the network path between client and server will only slow things down.


From what you have said, it looks like your computer is what is making too many requests.

You should look at the logs in /var/discourse/shared/standalone/log/var-log/nginx/ to look for clues.


I have no idea but really big problem, this things is happening almost every 10 minutes. :cry::cry:

Is it happening to anyone but yout?

Developing story:

i asked a friend of i he used some kind of software to send many requests to my website, he sent like 3000 requests in 15 seconds and the problem occurred.

the thing is everybody with same software can take down our website like that.
so the idea here is how we can prevent this thing.?

That’s what is supposed to happen. If he floods the site with requests, he, and only he, gets the “Too many requests” notice so that he cannot take your site down. It is doing exactly what you want.

If you are browsing the site normally and get that 429 message you have a problem. If you are trying to crash your site and get the 429 message then you have proof that your site is protected.


Yes sir, i know that he did it because he is authorized, but how about somebody can do the same and flood the website all day long ? just to prevent us from reaching our website, what is the solution ? is this something related to server ability ?
we are using 8Gb server with 4CPUs !!

If they flood the web site, they will get that 429 message so that they will not be able to continue to flood your site. Just like it did for him. The server isn’t giving him that message because you “authorized” him. It is keeping him from accessing the site because he is being malicious. If they flood the web site all day long it will not affect your server because they will get only the 429 page.

You are already protected.

Often people get that 429 error when they should not, and they are unable to access their site. That is a problem. You have no problem. You are unable to access your site if you try to take it down. That is what you want.


This one is no longer working right ? - to activate the cloudflare ?

We will publish a new guide on cloudflare soon.

Although you seem to be ignoring the earlier statements that Cloudflare won’t do anything for you here.


my apology to you, but i am not, you was clear enough at the part below:

And i can say absolutely you know better than me, i always wanted to connect my website to cloudflare even before this event so i took the advantage of this post to ask again.
Again am sorry, and i do appreciate you guys effort in helping me, am fully aware of the fact that cloudflare will not help.

i fully understand what you saying, you mean the flood of requests cannot damage the data on the server !!
ok, sounds well but what am gonna do with a server not affected if somebody can shutdown my website for 10 minutes 5 times a day with a small piece of software ?

what i need to know here, what is the best method to have all these requests without having 429 page ? i just wanna keep the website running smoothly under this scenario.
because the users cares about no protected server but about getting to the website and see the content.

This is the last time that I will try explain.

The only people who will not be able to see your site are people who are running a program that tries to make it inaccessible.

While the people who run software to crash your site see the 429 error, everyone else sees the site just fine.


You can’t imagine how stupid i am :wink:
For real am not a programmer this is why the people must talk to me in simple language.
The part above is clear.
Thanks a lot for your time sir.


You can find many, many stupid things that I’ve said here, I assure you!

Glad that I (think I) finally explained it in a way you could understand. Sorry it took me so many tries.