Использование Discourse с Cloudflare: лучшие практики

Hopefully it’s helpful, but I also wrote a general guide to the best settings here:

A Cloudflare staff member also added some pointers and corrections in the comments section.

I’m updating that guide and was trying to see if there was any new advice from Discourse and found this page.

I will be adding these to my managed rules. Thank you!

Here’s an overview of my custom rules. This has really help reduce spam and often times (not always) some of the lowest quality traffic comes in via VPNs and DC traffic which these have helped:

image2158×466 80.2 KB

I will make a proper write-up with the full contents of the rules, have been running these for about 6 months and validating their success by using the Log Explorer tool and inspecting 10k events at a time.

I am trying to understand Cloudflare integration using the free version before using it on a new discourse site. Can anyone expound on these with specifics / examples? Assume the discourse site is: ‘discourse. abc123. com’

(1) Cloudflare seems to remove the origin nginx security headers I currently have?

(2) I don’t undestand these comments: “If you decide to enable the CloudFlare CDN (orange cloud) you need to take one more step and establish a page rule for the address of your Discourse instance. The rule needs to ‘Disable Performance’ (I don’t see that option) which will turn off the CloudFlare features which are well documented to interfere with Discourse.” AND Create the following page rules at dash.cloudflare.com/?to=/:account/:zone/rules:

• Set Cache Level to “Bypass” for community.example.com/session/*

• Configure Rules Settings to normalize incoming URLs

Also anything other gotcha’s I should handle.

Thanks in advance.

Been using Cloudflare in proxy mode in front of my discourse forum since summer of 2025 without any issues; there just aren’t a huge number of discourse-specific things that you need to do these days to get it to work properly.

One of the most critical items is making sure to include the cloudflare template in your app.yml file. Without this, you’ll only see Cloudflare server IP addresses in your discourse dashboard, rather than the actual visitor IP addresses.

The “Bypass cache for /session/*” rule appears to still be necessary (do it as a cache rule in the new interface), and the “Skip WAF on post creation/edits” rule is definitely still necessary (I have this as a managed rule).

As I’m primarily using Discourse as a comment system for a Wordpress site, I’ve got Wordpress adding a 60-second TTL onto the /wp-json/wp-discourse/v1/discourse-comments?post_id=xxxxajax responses that the web server emits when visitors request a specific WP post’s comment thread; this helps with managing burst-y visitor patterns. I’ve added a CF cache rule that respects the TTL on URIs that include /wp-json/wp-discourse/.(I can’t set a short enough TTL on those URLs via Cloudflare without an Enterprise account, so I set the TTL at the application layer via a mu-plugin and then tell CF to respect that TTL via a CF cache rule.)

Other than that, and the basic settings mentioned in the opening post of the thread, there’s just not that much to do—Cloudflare works pretty darn well with Discourse.

Hi there, I just recently set this up and was done in 20 mins.

I use the cloudflare free plan as well, and some of the settings actually changed, if you use the search bar on the cloudflare dashboard it will popup the new spot for it, I had some issues with finding some of the settings as well.

It does require a rebuild

I only enabled “Little Yellow Cloud” (Xiao Huang Yun) and haven’t done anything else yet ~ I’ll configure it and see the effect when I have time.

Finished the Discourse + Cloudflare WAF write-up I mentioned earlier:

Covers the full custom rule stack I use on my Discourse forum: skip rules for static assets and /message-bus, block rules for scanners, ASN and geo challenges, rate limiting tuned for Discourse, and managed rule exceptions.

Also found something that needs clarification in the post creation/edit expression in the official guide: the regex operator matches requires Business plan. So in the article I’ve used a starts_with alternative that works on Pro plans.

Tested on a live forum with real traffic. Looking forward to any suggestions, improvements or if anyone runs into issues with config.

I would like to know. What is the difference between this setup method and only enabling the yellow cloud while keeping all other settings as default? Thank you.

Good question. With just the orange cloud defaults, you get DNS, CDN, DDoS protection, and the free managed ruleset. That’s a solid baseline and Discourse will work fine with just that.

The reason many go further is often SPAM, but also wasted bandwidth/server resources, and overall page speed/loading performance.

Regarding SPAM, we were getting anywhere from 5 to 10 spam posts a week, and at times it was relentless enough that I was actively searching for solutions here in these forums.

Since deploying these custom rules, that’s dropped to maybe 2 or 3 a month. The main issue left behind is one or two trolls and troublemakers who just keep signing up under new accounts when caught. But that’s another topic! The combination of challenging datacenter and VPN traffic, challenging Tor and problematic countries made a huge difference.

Beyond spam, there’s the hosting resources side. Knowing exactly what your hosting resources are being used for goes a long way. It’s also good for the internet in general not to feed automated traffic/bots.

Start with solid, fast hosting on a good network, most important that. Then Cloudflare on top ensures users who are far from your server still get a fast experience. The caching layer helps even with defaults, but going beyond the defaults continues to improve both performance and security.

By default, Cloudflare ships with settings that are extremely safe to enable without side effects. But there are plenty of additional settings that are also safe to enable and just aren’t turned on out of the box. And custom rules have to be custom because Cloudflare doesn’t offer any kind of wizard where you select “I’m running Discourse” or “I’m running WordPress” and it builds rules for you. That would be a great feature, and I plan to suggest it on my next call with them.

So it depends on what you want. If defaults are working and spam isn’t a problem, you may not need any of this.

But IMO, if you want more control over what reaches your forum and you want to squeeze every bit of performance out of your setup from the hosting layer all the way through to the edge, the custom rules are worth the effort.