Using Discourse with Cloudflare: Best Practices

This topic provides a comprehensive guide to using Discourse with Cloudflare. It includes a step-by-step guide, and best practices to ensure maximum compatibility.

Why use Discourse with Cloudflare

Using Discourse with Cloudflare can provide several benefits:

• Performance: Cloudflare’s CDN can speed up worldwide access to common assets on your Discourse forum, improving the user experience for your community members no matter where they are located (source).
• Security: Cloudflare provides additional layers of security for your Discourse forum, like DDoS protection (source) and HTTPS support (source) if not using Discourse’s Lets Encrypt setup.

For self-hosters, it’s important to note that while Cloudflare can provide these benefits, it also adds complexity to your Discourse setup. This document aims to help you navigate this complexity and make the most of using Discourse with Cloudflare.

Setting Up Discourse with Cloudflare

• Cloudflare Fundamentals to begin setting up Discourse with Cloudflare. Once you have your Discourse instance running, make certain you’re familiar with Cloudflare Fundamentals. Cloudflare Fundamentals is a one-stop location for pointers to Cloudflare resources.

• Set Up: To get the security, performance, and reliability benefits of Cloudflare, you need to set up Cloudflare on your domain. Directions.

Best Practices

The links provided assume that you are logged in and only have one account.

• DNS Ensure the DNS records pointing to your Discourse instance are proxied. Go here to manage your DNS records.

• SSL/TLS encryption mode should be set to Full (strict). Go here to manage your SSL/TLS settings. If not set up properly, this may lead to redirect loops.

• Caching Level should be set to Standard. Go here to set caching level.

• Create a Page Rule for community.example.com/session/* to set Cache Level to Bypass. Go here to create a Page Rule.

• Rules Settings should be configured to Normalize incoming URLs. Go here to configure Rule settings.

• Network Settings depending upon Cloudflare plan type, should be configured as follows. If they are not already enabled, enable IPv6 Compatibility, WebSockets, IP Geolocation, Network Error Logging, and Onion Routing. If they are not already disabled, disable Pseudo IPv4, Response Buffering, True-Client-IP Header, and gRPC. Set Maximum Upload Size per your site policy, 100 MB is sufficient. Go here to configure Network settings.

• WAF Settings depend upon Cloudflare plan type and security needs.
  If your Cloudflare account supports Managed Rules, configure a Managed Rule to Skip WAF on post creation / edits. Do this by:

  • adding a Managed Rule matching on URI Path and Request method. The Rule should appear as follows:

    (http.request.uri.path eq "/posts(/[0-9]+)?" and http.request.method in {"POST" "PUT"})
    

  • Choose the option to Skip all remaining rules
  • Enable Log matching requests

  If you are using the Data Explorer plugin, configure a Managed Rule to Skip WAF on admin queries. Do this by:

  • adding a Managed Rule matching on URI Path and Request method. The Rule should appear as follows:

    (http.request.uri.path contains "/admin/plugins/explorer/queries/" and http.request.method eq "PUT")
    

  • Choose the option to Skip all remaining rules
  • Enable Log matching requests

  Go here to create Managed Rules.

• Content Optimization should have Brotli turned on, Rocket Loader™ off, and ‘Auto Minify’ off.

  Go here to set Content Optimization.

  Discourse gets plenty site down reports due to Rocket Loader™ being on.

Additional configuration for self-hosters

To ensure the correct IP address gets sent to Discourse, you will want to add the following line to the end of your containers/app.yml.

cloudflare.template.yml

(Related: How do you setup Cloudflare? - #6 by codinghorror)

Support

For direct support from Cloudflare, please visit the original post @ the Cloudflare Community.

Alternatively, you may search for specific issues on Meta: Search results for ‘cloudflare’ - Discourse Meta

Special Thanks

@tcloonan for authoring this topic

Last edited by @supermathie 2024-08-08T17:40:46Z

Check document

Perform check on document:

Good morning,

Thank you for this guide which I followed to the letter but I encounter a problem, each time I activate Cloudflare in my console I get an error with the CSP which displays to me (Refused to execute inline script because it violates the following Content Security Policy directive: "script-src) and after having indicated to me the urls present in my CSP: (Either the ‘unsafe-inline’ keyword, a hash (‘sha256-VCiGKEA…=’), or a nonce (‘nonce-…’) is required to enable inline execution.

I tried looking everywhere but I can’t find a solution other than disabling the proxy which solves my problem?

THANKS.

Can you check if rocket loader is turned off?

Another thing is to check that the scripts are appropriately added to content security policy script src site setting.

If none of these are working out, I suggest reaching out to Cloudflare @ https://community.cloudflare.com/t/using-discourse-with-cloudflare-best-practices/602890.

Thanks for this @nat and @tcloonan

This has been on my list of things to do for a year or two, but I’ve been put off by the age of some of the older threads on this subject

Any issues or special things for people using AWS S3 for storage and for backups?

Do you still need the cloudflare template in app.yml for true IP addresses or has that changed over the years?

Yes. You do need the cloudflare template. Without it, all traffic will appear to come from cloudflare’s servers rather than the user’s browser IP.

I don’t see it mentioned in the OP, which seems like a glaring omission. How did you infer that you needed it?

Hi! Been around since 2014 (some years mostly silent) but have been working our getting our community migrated over since 2020 with a custom importer, and we are working on the second version of our in-house plugin to insert and enable bbob as a bbcode engine into Discourse. You can follow our progress here: GitHub - RpNation/bbcode: RpNation's Official BBCode Implementation for Discourse

I’ve been breathing this software for a bit now. We do use Cloudflare, so I’ve been re-researching what if any issues it has with discourse, since we are now at the stage where I can start worrying about less vital things that are not considered blockers.

@nat Could you add an edit about the template for self-hosted instances!

Done, thank you both for pointing this out!

Thank you very much! That was probably also the reason why my site was suddenly no longer accessible. I must have played with the Cloudflare settings a bit too much.

Since my old domain provider only supported DNSSec inadequately & incorrectly, I had to look for something new. That’s when Cloudflare came to mind. The free plan is completely sufficient for me. It’s a shame that the tariffs don’t even scale reasonably to the requirements.

Is it adding to this location?

Just for accuracy, the query for the WAF exclusion is:

(http.request.uri.path eq "/posts(/[0-9]+)?" and http.request.method in {"POST" "PUT"})

image1611×452 23.8 KB

You can copy-paste it if you click on the Edit expression on the left instead of using the form selection.

Noticed today as I updated and suddenly half the forum wasn’t working due to Auto Minify

Edit: just noticed this is a wiki post. Silly me, I have edited the initial post.

SSL/TLS encryption mode Full (strict). Will there be a problem if it is not closed? Won’t automatic SSL be defined anyway?

The image depicts a screenshot of the Cloudflare SSL/TLS encryption mode settings, specifically highlighting that it is currently set to "Off (not secure)". (Captioned by AI)1254×461 28.5 KB

Just to add to this, seems the OneBox functionality is being blocked when Super Bot Fight Mode is on and the setting Definitely automated is set to Managed or block…

You can get around this by setting up a custom WAF rule for the Onebox user agent but perhaps there is a more secure way of doing this?