Preventing DDoS on a Discourse instance?


I had a discourse forum which got ddos’d to hell last month (it’s basically a community about news, and what got me ddos’d was the posting of news about ecuadorean protests a month ago. Real eyeopener too). Anyway, this is basically a “hobby” of mine and I don’t really have the money to pay for expert help or expensive servers. It’s just a rather cheap standard vps dedicated exclusively to discourse.

So, what are some good tips you could give me to harden the security of my dirscourse?


Configure UFW and if necessary put it behind Cloudflare with a page rule to “disable performance” so that it doesn’t screw around with the code.


Thank you. Can you elaborate on both ideas?

1)What would be a good configuration for ufw with discourse? should i allow port 80 as well or only 224?

2)What would that page rule look like?

1 Like

This is the one good use case for Cloudflare. But you have to be unbelievably careful that you don’t leak the IP address because if you do it is game over.


So in this case the cloud icon can be turned orange right ? If the performance disabled by page rules ?

That means using cloudflare for “everything” in the forum, so to speak?.

I have cloudlfare in almost standard configuration and works fine. However some posts here recommend “enable this, disable that”, shich makes me fear exactly that: leaking ip.

I disabled “rocket” something and “minification” on cloudflare, that’s basically it. Am I ok?

1 Like

Create a page rule which looks like this:

That will disable everything that can tamper with the code today, and in the future.

If you want to create a caching rule for /uploads/ to save some server transfer that’s fine too.


Beyond what @Stephen mentioned above, do I need to do anything else to prevent leaking of IP?

1 Like

There are a few more recent topics that cover this.

1 Like

Without going through a service like Cloudflare, I presume Discourse out of the box doesn’t leak IP in any way?

1 Like