I refer to this post here: Discourse Link previews through a proxy server?
First of all, sorry to resurrect this almost 10 year old post, but I seriously can’t believe this doesn’t bother anyone else?
I have now managed to hide my host server and its IP address behind cloudflare and, after hours of searching, I have managed to only allow incoming network traffic from cloudflare so that port scanners cannot accidentally discover the forum under the IP address. Safety is simply very important to me. Mail server is external, almost everything is protected - but it’s a joke that someone just has to insert a bait image in the post and Discourse downloads it directly to embed it or something similar. I couldn’t find anything that disables this anywhere. Even these oneboxes, which are supposed to be the previews - even setting these to 0 does nothing - the ip logging pixel was immediately embedded and could reveal the host’s IP to attackers - so cloudflare’s protection is absolutely useless in this case. Either you protect your services properly or not at all - what use is cloudflare to us if the attacker doesn’t need 5 minutes to register, post a picture and thus find out the real IP of the host?
I’ve been trying for hours today using AI, tor and torsocks - but it never really worked. The rebuilding usually crashes as soon as I dare to change something in the env settings. If anyone has somehow managed to do this, I’m almost begging them to please share it with us. Most of the time the rebuild fails because access to Github doesn’t work, as Github probably prohibits Tor traffic.
And all of this wouldn’t have to be the case if you could simply deactivate discourse from loading the links in advance.
I’m really desperate.
