Using Discourse with Cloudflare

This guide explains how to configure and use Discourse with Cloudflare, including security best practices and troubleshooting tips.

Required user level: Administrator

Console access is required for self-hosted installations

Summary

Cloudflare can enhance your Discourse instance with improved performance through CDN, additional security layers like DDoS protection, and HTTPS support. This guide covers the setup process and best practices for optimal configuration.

Why use Cloudflare with Discourse

Using Cloudflare with your Discourse instance provides several key benefits:

• Performance: Cloudflare’s CDN can improve worldwide access to common assets, enhancing user experience globally (source)
• Security: Additional protection layers including:
  • DDoS protection (source)
  • HTTPS support (source) (alternative to Discourse’s Let’s Encrypt setup)

For self-hosted installations, while Cloudflare offers these benefits, it adds complexity to your setup.

Setting up Cloudflare

1. Familiarize yourself with Cloudflare Fundamentals
2. Follow the setup directions to configure Cloudflare for your domain and get the security, performance, and reliability benefits

Configuration best practices

DNS settings

• Ensure DNS records pointing to your Discourse instance are proxied
• Access DNS settings at dash.cloudflare.com/?to=/:account/:zone/dns

SSL/TLS configuration

• Set encryption mode to “Full (strict)”
• Access SSL/TLS settings at dash.cloudflare.com/?to=/:account/:zone/ssl-tls

Incorrect SSL/TLS configuration may cause redirect loops

Caching configuration

• Set caching level to “Standard”
• Access caching settings at dash.cloudflare.com/?to=/:account/:zone/caching/configuration

Page rules

Create the following page rules at dash.cloudflare.com/?to=/:account/:zone/rules:

• Set Cache Level to “Bypass” for community.example.com/session/*
• Configure Rules Settings to normalize incoming URLs

Network settings

Configure the following at dash.cloudflare.com/?to=/:account/:zone/network:

Enable:

• IPv6 Compatibility
• WebSockets
• IP Geolocation
• Network Error Logging
• Onion Routing

Disable:

• Pseudo IPv4
• Response Buffering
• True-Client-IP Header
• gRPC

Set Maximum Upload Size according to your site policy (100 MB recommended)

WAF (Web Application Firewall) settings

If your Cloudflare plan supports Managed Rules, create the following:

1. Skip WAF on post creation/edits:

(http.request.uri.path eq "/posts(/[0-9]+)?" and http.request.method in {"POST" "PUT"})

2. For Data Explorer plugin users, skip WAF on admin queries:

(http.request.uri.path contains "/admin/plugins/explorer/queries/" and http.request.method eq "PUT")

For both rules:

• Choose “Skip all remaining rules”
• Enable “Log matching requests”

Access WAF settings at dash.cloudflare.com/?to=/:account/:zone/firewall/managed-rules

Content optimization

Configure the following at dash.cloudflare.com/?to=/:account/:zone/speed/optimization:

• Enable Brotli
• Disable Rocket Loader™
• Disable Auto Minify

Discourse frequently receives site down reports due to Rocket Loader™ being enabled

Additional configuration for self-hosted installations

To ensure correct IP address forwarding, add the following to the templates section in your containers/app.yml:

cloudflare.template.yml

Related: How do you setup Cloudflare?

Support resources

• Cloudflare Community Support
• Search Discourse Meta for Cloudflare-related issues

Troubleshooting

Content Security Policy (CSP) issues

If you encounter CSP errors:

• Verify that Rocket Loader is disabled
• Check that scripts are properly added to the content security policy script src site setting

OneBox functionality

If OneBox is being blocked:

• Check if Super Bot Fight Mode is enabled
• Adjust the “Definitely automated” setting if it’s set to “Managed” or “Block”
• Consider creating a custom WAF rule for the OneBox user agent

Last edited by @MarkDoerr 2024-12-17T03:28:55Z

Check document

Perform check on document:

Good morning,

Thank you for this guide which I followed to the letter but I encounter a problem, each time I activate Cloudflare in my console I get an error with the CSP which displays to me (Refused to execute inline script because it violates the following Content Security Policy directive: "script-src) and after having indicated to me the urls present in my CSP: (Either the ‘unsafe-inline’ keyword, a hash (‘sha256-VCiGKEA…=’), or a nonce (‘nonce-…’) is required to enable inline execution.

I tried looking everywhere but I can’t find a solution other than disabling the proxy which solves my problem?

THANKS.

Can you check if rocket loader is turned off?

Another thing is to check that the scripts are appropriately added to content security policy script src site setting.

If none of these are working out, I suggest reaching out to Cloudflare @ https://community.cloudflare.com/t/using-discourse-with-cloudflare-best-practices/602890.

Thanks for this @nat and @tcloonan

This has been on my list of things to do for a year or two, but I’ve been put off by the age of some of the older threads on this subject

Any issues or special things for people using AWS S3 for storage and for backups?

Do you still need the cloudflare template in app.yml for true IP addresses or has that changed over the years?

Yes. You do need the cloudflare template. Without it, all traffic will appear to come from cloudflare’s servers rather than the user’s browser IP.

I don’t see it mentioned in the OP, which seems like a glaring omission. How did you infer that you needed it?

Hi! Been around since 2014 (some years mostly silent) but have been working our getting our community migrated over since 2020 with a custom importer, and we are working on the second version of our in-house plugin to insert and enable bbob as a bbcode engine into Discourse. You can follow our progress here: GitHub - RpNation/bbcode: RpNation's Official BBCode Implementation for Discourse

I’ve been breathing this software for a bit now. We do use Cloudflare, so I’ve been re-researching what if any issues it has with discourse, since we are now at the stage where I can start worrying about less vital things that are not considered blockers.

@nat Could you add an edit about the template for self-hosted instances!

Done, thank you both for pointing this out!

Thank you very much! That was probably also the reason why my site was suddenly no longer accessible. I must have played with the Cloudflare settings a bit too much.

Since my old domain provider only supported DNSSec inadequately & incorrectly, I had to look for something new. That’s when Cloudflare came to mind. The free plan is completely sufficient for me. It’s a shame that the tariffs don’t even scale reasonably to the requirements.

Is it adding to this location?

Just for accuracy, the query for the WAF exclusion is:

(http.request.uri.path eq "/posts(/[0-9]+)?" and http.request.method in {"POST" "PUT"})

image1611×452 23.8 KB

You can copy-paste it if you click on the Edit expression on the left instead of using the form selection.

Noticed today as I updated and suddenly half the forum wasn’t working due to Auto Minify

Edit: just noticed this is a wiki post. Silly me, I have edited the initial post.

SSL/TLS encryption mode Full (strict). Will there be a problem if it is not closed? Won’t automatic SSL be defined anyway?

The image depicts a screenshot of the Cloudflare SSL/TLS encryption mode settings, specifically highlighting that it is currently set to "Off (not secure)". (Captioned by AI)1254×461 28.5 KB

Just to add to this, seems the OneBox functionality is being blocked when Super Bot Fight Mode is on and the setting Definitely automated is set to Managed or block…

You can get around this by setting up a custom WAF rule for the Onebox user agent but perhaps there is a more secure way of doing this?

Related to

this part might need some better wording:

@supermathie Suggestion:

you will want to add the following line to the end of your templates section in containers/app.yml.

as illustrated in Using Discourse with Cloudflare: Best Practices - #11 by shawa

At best, a link to a general how-to about templates in server configuration could be provided also, which I was not able to find at first sight.