Cloudflare with subfolder setup

Installation
, ,
1

I just wanted to share steps that I did, on setting up a subfolder along with cloudflare, especially when the main website is live already and the root domain can not be pointed to the forum server (even temporarily).

Key Points

  • The existing mywebsite.com currently points to 1.1.1.1 and is live
  • We should route mywebsite.com/forum (and its subdirectories) to 2.2.2.2
  • Since during discourse installation we can not pass the letsencrypt validation (that checks if the domain resolves the current server) we should use DNS validation

Changes in app.yml

Letsencrypt updates

Create a new letsencrypt template and set it in app.yml according to this topic: LetsEncrypt DNS Validation Template Using Cloudflare

However, make sure to copy only issue_cert method from that post, and the rest of the content take from the original web.letsencrypt.ssl.template.yml (as it was changed after the topic was posted).

LETSENCRYPT_CF_TOKEN: ""
LETSENCRYPT_CF_ACCOUNT_ID: ""
LETSENCRYPT_CF_ZONE_ID: ""
LETSENCRYPT_DNS_PROVIDER: "dns_cf"
  • You can create the cloudflare token from CF My profile → “API Tokens” page.
  • Account ID and Zone ID are shows on the domain’s Overview page.
  • Leave the dns provider value as above

Subdirectory updates

According to this topic Serve Discourse from a subfolder (path prefix) instead of a subdomain set DISCOURSE_RELATIVE_URL_ROOT: /forum under env: and update the run: section.
Note this post for user ips: Serve Discourse from a subfolder (path prefix) instead of a subdomain - #111 by varun21

Rebuild

After chaging the app.yml to run the rebuild command we need to skip the discourse check for the domain to resolve the current server’s ip (since our mywebsite.com is already pointing to 1.1.1.1, and discourse checks the root domain), for that run:

./launcher rebuild app --skip-connection-test

Cloudflare Setup

I know some people are recommending to use Workers to route /forum to the 2.2.2.2, however I found much easier to do it with with Load Balancing. With workers I could not solve css/js related issues anyway, even with rocket loader and other similar settings disabled. So,

  • Activate the Load Balancer (under Traffic)
  • Select “Manage Pools” → “Create”
  • Create 2 pools (for the main website and for the forum), each of them should have only one endpoint

cf_screen
cf_screen2314×1114 98.6 KB

  • Create Load Balancer, hostname should be mywebsite.com
  • Under endpoints section, choose both pools
  • Skip Monitors (since we do not need to monitor the server’s health, main website should always point to 1.1.1.1 and forum to 2.2.2.2), Skip Traffic Steering (default is off)
  • Under Custom Rule, create one with path condition as /forum and point to forum endpoint

cf_sceen_2
cf_sceen_22500×1852 148 KB

  • Save/Deploy

Notes

  • For some reason copying the sample app.yml and then rebuilding did not work for me (probably was doing smth wrong). So, as a solution I ran the discourse-setup for the first time with other domain and then, along with other app.yml changes above, changed the hostname and did the final rebuild
  • Discourse generates 2 certificates from letsencrypt, RSA cert and ECDSA cert, and letsencrypt has a limit of 5 certificates per exact domain per week, if you do smth wrong 2 times in a row, the 3rd attemp will only issue one certificate, and the forum will not work (you can check the current limit by this script GitHub - sahsanu/lectl: Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh).
  • CF Load Balancer is not free, however considering(as of now) 5 usd per 500k DNS requests cost, I think it is worth it, in comparison to the hassle with nginx etc.