![[DigitalPoint] App for Cloudflare®](https://warforever.com/data/attachments/5/5959-deeaa82173b7b1e7b15536b838812816.jpg){kind=small}
Additional requirements : A Cloudflare account (which is free)
Features
Everything is available from within XenForo (you do not need to go to Cloudflare for things) via the Cloudflare API. This allows you give admins permission to do certain things (for example block IP addresses within Cloudflare without giving them access to your Cloudflare account).
It simplifies/automates much of the configuration and usage of Cloudflare with XenForo.
Version 1.0.0.1 Fixes issue with downloading Cloudflare backup :
Fixed issue where generation of Cloudflare backup would try to use zone-level permissions for Access instead of account-level.
Version 1.0.0.2 Fixes issue where Argo Tiered Cache setting couldn't be toggled :
Fixed issue where changed to Argo Tiered Cache setting wouldn't update via API.
Version 1.0.0.3 Fixes issue where Argo Tiered Cache setting couldn't be toggled, take 2 :
Fixed issue where changes to Argo Tiered Cache setting wouldn't update via API (for real this time).
Version 1.0.1 Adds option to block IPs via a spam clean when used from user approval queue :
New option under Options -> External service providers -> Block IP addresses on spam clean from user approval queue (it's off by default, so you will need to enable it if you want to use it).
Added additional info for cases where there's an exception making request to Cloudflare's API, but without an actual error received from the API.
Version 1.0.1.1 Fix for very old versions of PHP : Compatibility with very old (end-of-lifed for years) versions of PHP
Version 1.1.0 Adds ability to use Cloudflare Worker for XenForo image proxy :
This gives you an easy/fast/reliable/free way to hide your server's origin IP from someone trying to get it for malicious purposes.
Version 1.1.1 Adds ability to block automated spam registrations
New User registration option: Registration form is an overlay
Added ability to auto-configure Cloudflare firewall filter rule to force new registrations to go through managed challenge (helps mitigate automated spam registrations)
Adds 24 solve rate metrics for firewall filter rules (needs new "Zone.Analytics: Read" permission)
IMPORTANT for existing users : The new solve rate metric requires a new permission for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the
Version 1.2.0 Adds ability to force a challenge for contact form and use Cloudflare Worker as unfurl proxy
The option to
Using Cloudflare Workers as an image proxy was added in version 1.1.0. Now you can also use Cloudflare Workers as an unfurl proxy to further hide the origin server's IP address.
Version 1.2.1 Fix for issue with Cloudflare Worker unfurl proxy not getting it's route enabled
Support for new Cloudflare setting:
Fixed an issue where the Cloudflare Worker for unfurl proxying would not have it's route enabled
Not particularly keen on putting out a followup release so quick, however there is an issue where the Cloudflare Worker for unfurl proxying would not have it's route enabled (and wouldn't work since there was no route).
If you've already enabled the unfurl proxy, all you need to do to enable the route on Cloudflare's side is simple look at the proxy options page at
Version 1.2.1.1 Fix for some settings being shown with inverted values :
Removed stray variable in a tooltip
Fixed issue where setting values considered "good" when disabled would show the opposite value for their setting (things like
Version 1.2.2 Some minor fixes :
Handling of Access policy creation when some admins have no email address.
Better handling of favicons when using unfurl proxy and destination is using relative favicons.
Version 1.2.2.1 Better handling of situation where site's domain isn't a zone already defined in Cloudflare
Minor update...
Give human-readable error when the domain/zone does not exist on Cloudflare account when trying to work with it.
Version 1.3.0 Turnstile API integration :
This adds some functionality to Cloudflare's Turnstile captcha option added to XenForo 2.2.12.
IMPORTANT for existing users : The new Turnstile functions require a new permission for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the
One-click Turnstile site creation
You can automatically set up Turnstile for your site without going to Cloudflare's site with a "Setup in Cloudflare" button :
Buttons for direct links to
Once Turnstile is setup for your site, you will get new Settings and Analytics buttons that give you direct links to manage/report on your Turnstile site within Cloudflare.
Version 1.5.1 Some minor things :
Version 1.5.2 Minor update/bug fixes :
Version 1.5.3 R2 & guest caching stuff :
Version 1.5.4 Fixes, code abstracting, new features
- Fixed issue where the "Registration & contact forms are an overlay" option wouldn't always work
- Fixed issue with guest page caching where the first request made after a browser restart would return a cached page vs. logged in user
- Added support for config of R2 for XFMG via UI (it was possible before, but only through config.php edit)
- Internally caching Cloudflare zone ID (less API requests needed and faster for the requests we are making)
- Automatically reset cached zone ID cache if it's invalid (if site's domain changes for example)
- If using guest page caching, the cache for the first 2 and last 2 pages in a thread is purged when a post in the thread is added, edited or deleted (doing first 2 and last 2 helps with threads that have hundreds or thousands of pages so they don't run into API problems with so many individual page purge requests)
- Fixed issue with creating new admin access policies (change to Cloudflare API required an API parameter update)
- Removed usage/dependency on Stripe's UUID generator
- Fixed issue with country blocking firewall rule where sometimes the first country selected wouldn't show as selected when going back to edit.
Version 1.5.4.1 Bug fix : Fixed issue with method compatibility on some versions of PHP
Version 1.5.4.2 Take into account a lot of "what ifs" :
- Don't assume R2 bucket still exists when getting usage stats for buckets (in case someone deleted the bucket they are currently using)
- Fixed issue when trying to configure R2 for the first time, but Cloudflare account does not have R2 enabled yet
- Added sanity check for external data URL option in case addon somehow got partially (but not fully) installed
- If using guest page caching and purge cache API call fails when a new post is created, edited or deleted, fail silently
- Automatically remove cached account ID if it's invalid (Cloudflare account changed for site)
- Don't assume template method is callable (fixes issue where XenForo addon installation process would give a temporary error when template modifications were enabled but class extensions are not yet)
Version 1.5.5 "Easy config" option and some additional handling of some "what ifs"
- Added "Easy config" button to settings page to automatically optimize some settings for XenForo (currently it sets 22 Cloudflare settings in one go that work well for XenForo)
- Don't use getContentUrl() method since it's only in XenForo 2.2
- Force path and type keys when getting Metadata via R2 API
- Better handling of non-existent R2 objects trying to be read by internal processes (throw FileNotFoundException)
Version 1.5.5.1 Fix for XenForo's class autoload variation :
- Not sure why this is the case, but it seems XenForo's class autoloading system works slightly differently when in the context of auto-run jobs (within job.php). Oddly, changing the order of PHP classes within 3 files seems to have solved it (and allows the autoloader to properly "see" the classes either way).
- Fixes a problem where a class couldn't be found if it was running as a cron job (a scheduled task to delete a firewall)
Version 1.5.5.2 Fix for media uploads :
- Hate pushing quick versions out (sorry)... but a necessary fix for media uploads which are handled slightly differently than other uploaded content (like avatars and attachments).
Version 1.5.6 API updates and other things :
IMPORTANT for existing users: A change to Crawler Hint API calls requires a new API permission to be able to set it. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:
Version 1.5.7 Efficiency update related to R2 :
- Removed repository dependency within R2 adapter
- When checking if a file exists on R2, only fall back to checking if it's a "directory" if there's no file extension in the path (less class A operations).
Version 1.6.0 Code unification and feature parity with WordPress version :
- Selecting Global API keys are disabled (can't setup new ones going forward). Includes deprecation notice (going away completely in the future, so migrate to API tokens if you are still using Global API keys!).
- Unify primary classes so they can be shared without changes with WordPress version of this addon
- If you don't already have a Cloudflare API token, the link to create one will pre-define the required permissions for you (way less annoying for new users)
- Updated deep links inside cloudflare.com for Firewall events to reflect the new endpoint
- Look back 7 days instead of 1 day to find account-level usage records for buckets
- unfurl and image proxy Workers will use default language for site when they are setup
- Changed URL where you set Worker subdomain and made it a property for easier changes in the future (Cloudflare changed it in their dashboard)
- Make external URL include protocol (https
rather than relative URLs (R2 subdomains always have valid SSL certificates, so no reason to serve up content insecurely even if the site isn't using HTTPS)
- Automatic retry (once) if API/R2 calls return HTTP 499 response (same way we handle server-side [5xx errors])
- Change verbiage on R2 operation log to be more clear about billable events
- Don't hardcode dash.cloudflare.com prefix in admin:cloudflare_r2 template
- Fix Zero round trip phrase being title case
- Add direct link for setup of Zero Trust Access authentication method
- Added new pre-set Cache Rule option to force caching of static content
- Firewall rules can be toggled on/off
- User agent rules can be toggled on/off
- Page rules can be toggled on/off
- Cache rules can be toggled on/off
- Cloudflare analytics shown on admin index
Version 1.6.1 DMARC mangement and some minor things
- Consolidated buttons for new firewall rules into a menu
- Consolidated buttons for new cache rules into a menu
- Stop click propagation when clicking on link to Cloudflare in stats block header (prevents block from hiding/showing when you are just trying to go to - Cloudflare dashboard)
- Viewing statistics block on main admin page requires admin permission viewAnalytics (not the permission for managing cloudflare) and block is hidden if the user doesn't have the necessary permission
- Added check to avoid division by zero errors in a case where Cloudflare reports an impossible scenario (cached traffic for a time period, but total traffic for that same time period is 0)
- New option: Show Cloudflare statistics
- Added DMARC management section. Ability to monitor emails being sent by third parties (includes week/month chart as well as table of unapproved sources sending emails)
- Fixed some text not being phrased in the stats block
Version 1.6.2 Daily stats and some minor fixes/changes
IMPORTANT for existing users: A change to Firewall API calls requires a new API permission to be able to set it. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions :
The Firewall API has been deprecated and turned into a Ruleset API, so no way around the new permission (sorry).
Changes :
Version 1.6.2.1 Minor bug fixes :
- Better handling of situation where someone deleted R2 bucket in Cloudflare's dashboard but didn't disconnect that bucket from being used by XenForo yet.
- Fixed issue where we were assuming there was a firewall ruleset for firewall rules (not always the case, so don't assume it exists).
- Fixed issue with logging daily stats if a site isn't using Turnstile for CAPTCHAs
- Requires XF 2.1.0+ (always was the case technically, installer enforces it now)
Version 1.6.3 Added some sanity checks :
- Better handling of stats rebuilding when rebuilding all stats for the site (from cache rebuild)
- Check if Cloudflare account ID is missing when generating R2 bucket URL and add a server error log if that's the case (if an API token has insufficient permissions, you could end up with a missing account ID, which would in turn make R2 functions not work).
- Backup option works properly again with Firewall rules (forgot to convert that to the new Ruleset API that the firewall uses
- Added check to make sure none of the Cloudflare daily stats are somehow giving a negative number
Version 1.6.3.1 Better handling for some rare scenarios :
- Added check to make sure the site's hostname has at least one dot in it when determining Cloudflare zone ID (things like "localhost" are not valid Cloudflare zones)
- Fetch up to 1,000 R2 buckets per account with API call instead of the default of 20
- If API permissions get revoked on accident, don't throw exception about it on main admin index (admin index won't break if API permissions went away for some reason)
Version 1.6.4 A couple minor changes :
Version 1.6.5 Ability to create firewall rule for ASNs :
Version 1.6.6 Mostly optimizations :
Version 1.7.0 Ability to do edge caching of media attachments :
IMPORTANT for existing users: New functionality requires 2 additional API permissions in order to use the new functions. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:
Changes:
Version 1.7.0.1 Fix when enabling guest page caching :
- Fix for issue when trying to enable guest page caching (ends up in a loop). Only needed if you don't have guest page caching enabled and you want to enable it.
Version 1.7.1 R2 efficiency things...
As an example, if you have a 10MB attachment, your server first needs to download 10MB and then it sends that 10MB to the end user (so there's the time it takes to download the attachment from R2 and as well as 20MB total bandwidth happening on your server... 10MB in, then 10MB out). With presigned URLs, your server does the permission check and then if the user has permission to view the attachment, the user is redirected to a unique URL that expires in 60 seconds to fetch the attachment. This means attachments are viewed faster for end-users and your server isn't wasting bandwidth passing it through to the user.
Presigned URLs that expire and can't be changed by users is done with cryptographic signing (hence the name, presigned URLs).
Version 1.7.2 Housekeeping :
Version 1.7.3 Rewrote JavaScript to be native (not use jQuery), utilize Sec-Fetch-Site HTTP header, etc. :
IMPORTANT for existing users: New functionality requires 1 additional API permissions in order to use the new function. You can go to your Cloudflare API Tokens, edit the token you have and add the following permission:
Was going down the path of trying to do a synchronous AJAX request in native JavaScript (rewriting for XF 2.3) and then trying to handle a bunch of one-off situations where XenForo is injecting CSRF tokens into certain GET requests because they are using GET to mutate user state for some reason... just was getting too kludgey and cumbersome. And since CSRF isn't really needed anymroe these days, I decided to take the cleaner/simpler route (which will also make sites faster). Just use Sec-Fetch-Site instead of CSRF... problem solved.
Version 1.7.4 Support for Cloudflare Fonts :
Version 1.7.5 Fix for API change :
- Cloudflare changed API results for bot management, but only for paid plans. This addresses that.
Version 1.7.5.1 Handling of unexpected API schema changes :
- Better handling of unexpected Cloudflare API changes.
Version 1.7.6 More bot management API updates :
Version 1.7.6.1 Fix for Cloudflare changing the option ID for Cloudflare Fonts :
Version 1.7.7 Better handling of unexpected Cloudflare API errors/problems :
Version 1.8.4.1 Mostly more 2.3 compatibility changes :
Version 1.8.5 Ability to block AI crawlers/scrapers :
Version 1.8.6 Minor update :
Version 1.8.7 Minor/API update :
Version 1.8.8 Added new Cloudflare settings :
Version 1.9.0.1 Fix for sites using MEMORY table for xf_session_activity :
Yuck... sorry. This fixes it.
Features
Everything is available from within XenForo (you do not need to go to Cloudflare for things) via the Cloudflare API. This allows you give admins permission to do certain things (for example block IP addresses within Cloudflare without giving them access to your Cloudflare account).
It simplifies/automates much of the configuration and usage of Cloudflare with XenForo.
- Manage all Cloudflare settings/options for your zone.
- Ability to purge Cloudflare cache.
- Cloudflare Firewall support
- You can automatically create firewall filters to block access to XenForo internal directories that are not intended to be accessed via web browser (
internal_dataandsrc). You can also delete any firewall filter. - Create/delete Firewall user agent rules.
- Create/delete Firewall IP address rules. Includes the ability to optionally expire the rule in the future (for example maybe you want to block a class C for 7 days, or you want to force a challenge to a specific IP for 30 days).
- Manage country-level traffic blocking (includes Tor exit nodes).
- You can automatically create firewall filters to block access to XenForo internal directories that are not intended to be accessed via web browser (
- Cloudflare Access support
- You can automatically create Access policies to allow only admins the ability to access the
installandadmin.phpURLs. You can also delete any existing Access policy.
- You can automatically create Access policies to allow only admins the ability to access the
- Cloudflare Page Rule support
- You can automatically create a Page Rule that will instruct Cloudflare to cache XenForo CSS files (normally they are not cached because Cloudflare caches based on file extension, and XenForo's CSS system has .php extension).
- You can automatically create a Page Rule that will instruct Cloudflare to cache images served through XenForo's image proxy (similar to XenForo's CSS, Cloudflare normally does not cache them because the image proxy uses .php extension).
- Supports both Global API key and API tokens. API tokens allow the minimum required permissions and can span multiple zones (you could use the same API token across multiple XenForo installations/domains without giving any unnecessary permissions).
- Moderators that have the ability to spam clean and view user's IPs get an extra option in the spam cleaner where they can temporarily ban the IP address(es) the spammer used in the last 30 days. The number of days to ban is an option you can set in the admin area (it defaults to 7 days).
- Ability to backup and restore certain Cloudflare configuration (Access Apps, Firewall Rules, Firewall IP Access Rules, Firewall User Agent Blocking, Page Rules).
- You can restore backups to a different zone (for example if you had extensive configuration for a zone, you could give another zone the same configuration through a backup restore).
- Restoring a backup does not delete existing configurations (you are able to merge configuration into an existing config).
- Cloudflare configuration is protected by a new admin permission,
Manage Cloudflare.
Version 1.0.0.1 Fixes issue with downloading Cloudflare backup :
Fixed issue where generation of Cloudflare backup would try to use zone-level permissions for Access instead of account-level.
Version 1.0.0.2 Fixes issue where Argo Tiered Cache setting couldn't be toggled :
Fixed issue where changed to Argo Tiered Cache setting wouldn't update via API.
Version 1.0.0.3 Fixes issue where Argo Tiered Cache setting couldn't be toggled, take 2 :
Fixed issue where changes to Argo Tiered Cache setting wouldn't update via API (for real this time).
Version 1.0.1 Adds option to block IPs via a spam clean when used from user approval queue :
New option under Options -> External service providers -> Block IP addresses on spam clean from user approval queue (it's off by default, so you will need to enable it if you want to use it).
Added additional info for cases where there's an exception making request to Cloudflare's API, but without an actual error received from the API.
Version 1.0.1.1 Fix for very old versions of PHP : Compatibility with very old (end-of-lifed for years) versions of PHP
Version 1.1.0 Adds ability to use Cloudflare Worker for XenForo image proxy :
- Ability to use a Cloudflare Worker as a backend image proxy to hide the origin server's IP address when XenForo's image proxy fetches the image
- Some minor cosmetic tweaks to Cloudflare lists of things in admin area
Account.Workers Scripts: Edit permission.This gives you an easy/fast/reliable/free way to hide your server's origin IP from someone trying to get it for malicious purposes.
Version 1.1.1 Adds ability to block automated spam registrations
New User registration option: Registration form is an overlay
Added ability to auto-configure Cloudflare firewall filter rule to force new registrations to go through managed challenge (helps mitigate automated spam registrations)
Adds 24 solve rate metrics for firewall filter rules (needs new "Zone.Analytics: Read" permission)
IMPORTANT for existing users : The new solve rate metric requires a new permission for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the
Zone.Analytics: Read permission.Version 1.2.0 Adds ability to force a challenge for contact form and use Cloudflare Worker as unfurl proxy
The option to
Force registration challenge added in version 1.1.1 has been extended to optionally apply to the contact form as well. If you already created the managed challenge for registrations you can click the option again to toggle on/off the contact form option (it will update the existing rule).Using Cloudflare Workers as an image proxy was added in version 1.1.0. Now you can also use Cloudflare Workers as an unfurl proxy to further hide the origin server's IP address.
Version 1.2.1 Fix for issue with Cloudflare Worker unfurl proxy not getting it's route enabled
Support for new Cloudflare setting:
Network -> HTTP/2 to OriginFixed an issue where the Cloudflare Worker for unfurl proxying would not have it's route enabled
Not particularly keen on putting out a followup release so quick, however there is an issue where the Cloudflare Worker for unfurl proxying would not have it's route enabled (and wouldn't work since there was no route).
If you've already enabled the unfurl proxy, all you need to do to enable the route on Cloudflare's side is simple look at the proxy options page at
admin.php?cloudflare/proxy. The act of viewing that page does a sanity check for the Workers to make sure they have a valid route, and if one doesn't, it enables the default route.Version 1.2.1.1 Fix for some settings being shown with inverted values :
Removed stray variable in a tooltip
Fixed issue where setting values considered "good" when disabled would show the opposite value for their setting (things like
Development Mode and Rocket Loader which are considered "good" when disabled)Version 1.2.2 Some minor fixes :
Handling of Access policy creation when some admins have no email address.
Better handling of favicons when using unfurl proxy and destination is using relative favicons.
Version 1.2.2.1 Better handling of situation where site's domain isn't a zone already defined in Cloudflare
Minor update...
Give human-readable error when the domain/zone does not exist on Cloudflare account when trying to work with it.
Version 1.3.0 Turnstile API integration :
This adds some functionality to Cloudflare's Turnstile captcha option added to XenForo 2.2.12.
IMPORTANT for existing users : The new Turnstile functions require a new permission for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the
Account.Turnstile: Edit permission.One-click Turnstile site creation
You can automatically set up Turnstile for your site without going to Cloudflare's site with a "Setup in Cloudflare" button :
Buttons for direct links to
Settings and AnalyticsOnce Turnstile is setup for your site, you will get new Settings and Analytics buttons that give you direct links to manage/report on your Turnstile site within Cloudflare.
Version 1.4.0 Big update, including support for R2 :
IMPORTANT for existing users: The new R2 functions and control of new settings require some new permissions for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:
You should have a total of 14 permissions for your API token at this point. If you don't have 14, you can check what you should have under XF Admin -> Options -> External service providers -> Cloudflare authentication
General
What is R2? R2 is a cloud object storage system. This add-on allows you to store things like avatars and attachments in the cloud rather than your server. The cost to use R2 is extremely reasonable... the first 10GB of storage is free, each GB after 10GB is $0.015 per month. For example, if you had 100GB of attachments and avatars you wanted to store in R2, the cost would would be $1.35 per month.
I've built a CLI tool to migrate data from one file system to another (for example you could go from local storage to R2 with it), however it needs to work within the limitations of XenForo and Flysystem. Which means, if you need to move more than a few GB worth of files, you are going to be better off using a free utility like rclone to do it.
IMPORTANT for existing users: The new R2 functions and control of new settings require some new permissions for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:
[LIST][*]Account.Account Analytics: Read[*]Account.Workers R2 Storage: Edit[*]Zone.Bot Management: Edit[*]Zone.Cache Rules: Edit[/LIST]You should have a total of 14 permissions for your API token at this point. If you don't have 14, you can check what you should have under XF Admin -> Options -> External service providers -> Cloudflare authentication
General
- Fixed issue with compatibility with old versions of PHP.
- Requires PHP 7.0 or higher (just getting too annoying/difficult to maintain backward compatibility with very old versions of PHP on old versions of XenForo).
- New Cloudflare setting: Network error logging
- Bot Fight Mode, Automatic Signed Exchanges (SXGs) & AMP Real URL settings can be used with API tokens now (before you had to use Global API keys to access those settings).
- Added note about changing Worker subdomain.
- New option for country blocking allows blocking to apply to entire site or just registration.
- Make it so XenForo's FsMount class can disable asserts on a per-adapter basis (makes filesystem faster and cuts R2 API calls in half because we don't need to explicitly check if an object exists before we try to get it).
- Changed verbiage reflect Cloudflare's change of "firewall filter rules" to simply "firewall rules".
- Cloudflare API calls that return a server error code (5xx) will transparently retry once before giving up.
- R2 support (yay!)
- R2 requires use of an API token (can't use Global API key, no way around that).
- Internally caching Cloudflare account ID, so we don't need to make API call to get it over and over (account ID normally never changes).
- Internally caching API token ID (required for R2 usage).
- New CLI command to migrate data between two different abstracted filesystems: php cmd.php dp:migrate-data [--new-to-old] [--processes=PROCESSES] [--start-at-path=START-AT-PATH] [--location=LOCATION] [--path=PATH]
- Can see R2 storage/usage for Cloudflare account as a whole (in footer of R2 admin area).
- Can see recent R2 logs (for individual buckets as well as Cloudflare account-level).
What is R2? R2 is a cloud object storage system. This add-on allows you to store things like avatars and attachments in the cloud rather than your server. The cost to use R2 is extremely reasonable... the first 10GB of storage is free, each GB after 10GB is $0.015 per month. For example, if you had 100GB of attachments and avatars you wanted to store in R2, the cost would would be $1.35 per month.
I've built a CLI tool to migrate data from one file system to another (for example you could go from local storage to R2 with it), however it needs to work within the limitations of XenForo and Flysystem. Which means, if you need to move more than a few GB worth of files, you are going to be better off using a free utility like rclone to do it.
Version 1.5.1 Some minor things :
- Made some minor changes to the logic of when to serve cached pages or not (Guest page caching)
- If a session is empty (like when a user logs out), go ahead and fully expunge it
- Made some changes to R2 adapter so it could be configured for extra directories via config.php
- Added some code to work around XenForo not updating CSRF token in URLs (this bug report)
Version 1.5.2 Minor update/bug fixes :
- More tuning of logic for when to do guest page caching
- Made change so other addons that are also extending the filesystem mount class are able to do so with backward compatibility
- Fixed cosmetic issue with overflow of R2 logs in overlay window
- Prevent users from using the same bucket for public and private areas (prevent users from exposing internal-data as a public bucket)
- Added note about style, language and advanced cookie consent in XF 2.2.12+ to known limitations for guest page caching
Version 1.5.3 R2 & guest caching stuff :
- Fixed issue where the function to add public subdomain and Cache Rule to an existing R2 bucket wouldn't work
- Removed dependency on third-party library to get list of countries for firewall blocking
- Changed how guest page caching updates tokens in GET request URLs
- Only cache guest pages if the visitor is using the default language and style
Version 1.5.4 Fixes, code abstracting, new features
- Fixed issue where the "Registration & contact forms are an overlay" option wouldn't always work
- Fixed issue with guest page caching where the first request made after a browser restart would return a cached page vs. logged in user
- Added support for config of R2 for XFMG via UI (it was possible before, but only through config.php edit)
- Internally caching Cloudflare zone ID (less API requests needed and faster for the requests we are making)
- Automatically reset cached zone ID cache if it's invalid (if site's domain changes for example)
- If using guest page caching, the cache for the first 2 and last 2 pages in a thread is purged when a post in the thread is added, edited or deleted (doing first 2 and last 2 helps with threads that have hundreds or thousands of pages so they don't run into API problems with so many individual page purge requests)
- Fixed issue with creating new admin access policies (change to Cloudflare API required an API parameter update)
- Removed usage/dependency on Stripe's UUID generator
- Fixed issue with country blocking firewall rule where sometimes the first country selected wouldn't show as selected when going back to edit.
Version 1.5.4.1 Bug fix : Fixed issue with method compatibility on some versions of PHP
Version 1.5.4.2 Take into account a lot of "what ifs" :
- Don't assume R2 bucket still exists when getting usage stats for buckets (in case someone deleted the bucket they are currently using)
- Fixed issue when trying to configure R2 for the first time, but Cloudflare account does not have R2 enabled yet
- Added sanity check for external data URL option in case addon somehow got partially (but not fully) installed
- If using guest page caching and purge cache API call fails when a new post is created, edited or deleted, fail silently
- Automatically remove cached account ID if it's invalid (Cloudflare account changed for site)
- Don't assume template method is callable (fixes issue where XenForo addon installation process would give a temporary error when template modifications were enabled but class extensions are not yet)
Version 1.5.5 "Easy config" option and some additional handling of some "what ifs"
- Added "Easy config" button to settings page to automatically optimize some settings for XenForo (currently it sets 22 Cloudflare settings in one go that work well for XenForo)
- Don't use getContentUrl() method since it's only in XenForo 2.2
- Force path and type keys when getting Metadata via R2 API
- Better handling of non-existent R2 objects trying to be read by internal processes (throw FileNotFoundException)
Version 1.5.5.1 Fix for XenForo's class autoload variation :
- Not sure why this is the case, but it seems XenForo's class autoloading system works slightly differently when in the context of auto-run jobs (within job.php). Oddly, changing the order of PHP classes within 3 files seems to have solved it (and allows the autoloader to properly "see" the classes either way).
- Fixes a problem where a class couldn't be found if it was running as a cron job (a scheduled task to delete a firewall)
Version 1.5.5.2 Fix for media uploads :
- Hate pushing quick versions out (sorry)... but a necessary fix for media uploads which are handled slightly differently than other uploaded content (like avatars and attachments).
Version 1.5.6 API updates and other things :
IMPORTANT for existing users: A change to Crawler Hint API calls requires a new API permission to be able to set it. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:
Zone.Zone: Edit
- Fix for change to Crawler Hint API calls (needed to change Crawler Hints setting)
- Updated parameters for Network error logging when doing "Easy config"
- Normalize path when getting a list of multiple objects
- Add support for getting listings of directories inside buckets in R2 adapter (a little tricky because R2 it not a file system in the traditional sense as there are no actual directories). Should make it so exporting styles with attached assets should work if those assets are stored in R2.
Version 1.5.7 Efficiency update related to R2 :
- Removed repository dependency within R2 adapter
- When checking if a file exists on R2, only fall back to checking if it's a "directory" if there's no file extension in the path (less class A operations).
Version 1.6.0 Code unification and feature parity with WordPress version :
- Selecting Global API keys are disabled (can't setup new ones going forward). Includes deprecation notice (going away completely in the future, so migrate to API tokens if you are still using Global API keys!).
- Unify primary classes so they can be shared without changes with WordPress version of this addon
- If you don't already have a Cloudflare API token, the link to create one will pre-define the required permissions for you (way less annoying for new users)
- Updated deep links inside cloudflare.com for Firewall events to reflect the new endpoint
- Look back 7 days instead of 1 day to find account-level usage records for buckets
- unfurl and image proxy Workers will use default language for site when they are setup
- Changed URL where you set Worker subdomain and made it a property for easier changes in the future (Cloudflare changed it in their dashboard)
- Make external URL include protocol (https
rather than relative URLs (R2 subdomains always have valid SSL certificates, so no reason to serve up content insecurely even if the site isn't using HTTPS)- Automatic retry (once) if API/R2 calls return HTTP 499 response (same way we handle server-side [5xx errors])
- Change verbiage on R2 operation log to be more clear about billable events
- Don't hardcode dash.cloudflare.com prefix in admin:cloudflare_r2 template
- Fix Zero round trip phrase being title case
- Add direct link for setup of Zero Trust Access authentication method
- Added new pre-set Cache Rule option to force caching of static content
- Firewall rules can be toggled on/off
- User agent rules can be toggled on/off
- Page rules can be toggled on/off
- Cache rules can be toggled on/off
- Cloudflare analytics shown on admin index
Version 1.6.1 DMARC mangement and some minor things
- Consolidated buttons for new firewall rules into a menu
- Consolidated buttons for new cache rules into a menu
- Stop click propagation when clicking on link to Cloudflare in stats block header (prevents block from hiding/showing when you are just trying to go to - Cloudflare dashboard)
- Viewing statistics block on main admin page requires admin permission viewAnalytics (not the permission for managing cloudflare) and block is hidden if the user doesn't have the necessary permission
- Added check to avoid division by zero errors in a case where Cloudflare reports an impossible scenario (cached traffic for a time period, but total traffic for that same time period is 0)
- New option: Show Cloudflare statistics
- Added DMARC management section. Ability to monitor emails being sent by third parties (includes week/month chart as well as table of unapproved sources sending emails)
- Fixed some text not being phrased in the stats block
Version 1.6.2 Daily stats and some minor fixes/changes
IMPORTANT for existing users: A change to Firewall API calls requires a new API permission to be able to set it. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions :
Zone.Zone WAF: EditThe Firewall API has been deprecated and turned into a Ruleset API, so no way around the new permission (sorry).
Changes :
- Fixed missing padding on timeframe selector on DMARC management page
- Added missing phrase
missing_cloudflare_authentication_info - If there is no Cloudflare authentication token set (new install normally), don't try to show the stats block
- Fixed issue where deeplink generated for DMARC management would include sub-domain of site rather than just the domain/zone.
- Links for Turnstile settings and analytics work again (Cloudflare made an unannounced changed to API, so conforming to new API schema)
- Fixed reversed label on DMARC chart
- Fixed issue with approved DMARC sources showing in the unapproved sources report
- Fixed sorting issue on DMARC sources report
- Made internals of Country blocking case-insensitive for country codes
- Migrated Firewall API calls to new Ruleset API
- New Cloudflare daily stats (in XenForo's normal statistics area):
- Unique visitors
- Requests
- Data served
- Data cached
- Threats
- Turnstile challenges
- Turnstile interactive solves
- Turnstile non-interactive solves
- Turnstile unsolved
- R2 class A operations
- R2 class B operations
Version 1.6.2.1 Minor bug fixes :
- Better handling of situation where someone deleted R2 bucket in Cloudflare's dashboard but didn't disconnect that bucket from being used by XenForo yet.
- Fixed issue where we were assuming there was a firewall ruleset for firewall rules (not always the case, so don't assume it exists).
- Fixed issue with logging daily stats if a site isn't using Turnstile for CAPTCHAs
- Requires XF 2.1.0+ (always was the case technically, installer enforces it now)
Version 1.6.3 Added some sanity checks :
- Better handling of stats rebuilding when rebuilding all stats for the site (from cache rebuild)
- Check if Cloudflare account ID is missing when generating R2 bucket URL and add a server error log if that's the case (if an API token has insufficient permissions, you could end up with a missing account ID, which would in turn make R2 functions not work).
- Backup option works properly again with Firewall rules (forgot to convert that to the new Ruleset API that the firewall uses
- Added check to make sure none of the Cloudflare daily stats are somehow giving a negative number
Version 1.6.3.1 Better handling for some rare scenarios :
- Added check to make sure the site's hostname has at least one dot in it when determining Cloudflare zone ID (things like "localhost" are not valid Cloudflare zones)
- Fetch up to 1,000 R2 buckets per account with API call instead of the default of 20
- If API permissions get revoked on accident, don't throw exception about it on main admin index (admin index won't break if API permissions went away for some reason)
Version 1.6.4 A couple minor changes :
- Guest page caching will work properly when a page immediately fires an AJAX request
- Don't try to purge Cloudflare's cache when using guest page caching and an orphaned post is being deleted (when a post is assigned to a thread that doesn't exist)
- Don't include all Zero Trust Access rules in backup (only include rules for your zone/domain)
- Cache Rules included in backup/restore process
Version 1.6.5 Ability to create firewall rule for ASNs :
- Fixed issue with creating Turnstile site via API (Cloudflare updated schema for API call)
- Added ASN support when creating IP address rules
- Cache Cloudflare zone/domain (makes it so an API call is not necessary on the admin index page to build deeplink to your zone in your Cloudflare account)
Version 1.6.6 Mostly optimizations :
- Fixed issue where you would get a
Call to a member function getBody() on arrayexception instead of the intended HTTP response if an API call failed twice (it automatically does a retry if it failed once) - When using guest page caching, decouple the purge cache mechanism from the http request (the purge cache action is sent to XenForo's job system)
- Show egress bandwidth when hovering over R2 class A or class B operation stats
- Reorganized settings to align with Cloudflare's recent dashboard changes
- Remove authentication option for Global API Keys (only allow API Tokens going forward)
Version 1.7.0 Ability to do edge caching of media attachments :
IMPORTANT for existing users: New functionality requires 2 additional API permissions in order to use the new functions. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:
Account.Allow Request Tracer: ReadAccount.Intel: Read
Changes:
- Added ability to cache media attachments (both normal attachments and XF Media Gallery uploads) at network edge (images, video and audio attachments can be cached in Cloudflare data centers)
- Reorganized admin navigation (Cloudflare functions consolidated into a new Cloudflare section)
- Switched order of Network and Scrape Shield settings
- Added descriptions for each Cloudflare setting
- New option:
Purge cache when post is created or deleted - New Cloudflare Tools section:
- HTTP request trace
- IP address details
- Domain details
- WHOIS
Version 1.7.0.1 Fix when enabling guest page caching :
- Fix for issue when trying to enable guest page caching (ends up in a loop). Only needed if you don't have guest page caching enabled and you want to enable it.
Version 1.7.1 R2 efficiency things...
- Can use R2 for storage without site being a domain/zone in Cloudflare
- Made change to XenForo's attachment data entity to be more efficient (normally XenForo checks if an attachment exists before making an additional call to actually get it). This will reduce an API call for every attachment view because we don't need to check if the attachment exists (we know it does already because we have a record of it in attachment data).
- Added new option: Use presigned URLs for attachments stored in R2 (allows attachments stored in R2 to be viewed directly by the user, rather than you server needing to download the attachment to pass it through to the user)
As an example, if you have a 10MB attachment, your server first needs to download 10MB and then it sends that 10MB to the end user (so there's the time it takes to download the attachment from R2 and as well as 20MB total bandwidth happening on your server... 10MB in, then 10MB out). With presigned URLs, your server does the permission check and then if the user has permission to view the attachment, the user is redirected to a unique URL that expires in 60 seconds to fetch the attachment. This means attachments are viewed faster for end-users and your server isn't wasting bandwidth passing it through to the user.
Presigned URLs that expire and can't be changed by users is done with cryptographic signing (hence the name, presigned URLs).
Version 1.7.2 Housekeeping :
- Moved Cloudflare options from
External service providersto their own Options page - New option (advanced): Show attachment data errors in server error log
- Add sanity check when using R2 with presigned URLs and users are allowed to upload audio/video media
Version 1.7.3 Rewrote JavaScript to be native (not use jQuery), utilize Sec-Fetch-Site HTTP header, etc. :
IMPORTANT for existing users: New functionality requires 1 additional API permissions in order to use the new function. You can go to your Cloudflare API Tokens, edit the token you have and add the following permission:
Account.Billing: Read
- Added sanity check to make sure attachment data exists when using presigned URLs for R2 attachments (helpful in certain cases when using XFMG).
- Added ability to use Token Authentication system for attachments stored in R2 (needs new permission... see above). This only works for zones that are not on the Free tier (which is why the billion permission is needed to check if the zone is on a paid plan or not).
- Update Chart.js to v4.4.0
- All JavaScript has been rewritten to be "native" (does not use jQuery) in preparation for removal of jQuery in XenForo 2.3.
- When using guest page caching, no longer try to fetch a new CSRF token for the user with a quick synchronous AJAX request (using Sec-Fetch-Site HTTP request header [a more modern replacement for CSRF tokens])
Sec-Fetch-Site HTTP request header which is more or less supported by all browsers now (CSRF tokens aren't really needed anymore).Was going down the path of trying to do a synchronous AJAX request in native JavaScript (rewriting for XF 2.3) and then trying to handle a bunch of one-off situations where XenForo is injecting CSRF tokens into certain GET requests because they are using GET to mutate user state for some reason... just was getting too kludgey and cumbersome. And since CSRF isn't really needed anymroe these days, I decided to take the cleaner/simpler route (which will also make sites faster). Just use Sec-Fetch-Site instead of CSRF... problem solved.
Version 1.7.4 Support for Cloudflare Fonts :
- Added support for new Cloudflare setting: Speed -> Optimization -> Content Optimization -> Cloudflare Fonts
- When using "Easy config", set "Security level" to "Essentially off" (was set to "Medium" before)
- Easy config enables Cloudflare Fonts
Version 1.7.5 Fix for API change :
- Cloudflare changed API results for bot management, but only for paid plans. This addresses that.
Version 1.7.5.1 Handling of unexpected API schema changes :
- Better handling of unexpected Cloudflare API changes.
Version 1.7.6 More bot management API updates :
- Completely revamped how the bot management API is handled
- Added Super Bot Fight mode settings as controllable options (options enabled/available to be toggled will ultimately depend on what your Cloudflare plan allows):
- Likely Automated
- Definitely Automated
- Verified Bots
- Static Resource Protection
- Optimize For WordPress
- JavaScript Detections
Version 1.7.6.1 Fix for Cloudflare changing the option ID for Cloudflare Fonts :
- The Cloudflare Fonts option ID has changed. This addresses that (it's what I get for giving the ability to toggle options that Cloudflare has deemed "beta"... they are subject to change).
- Added a sanity check so if future option IDs change, it won't throw an error (along with not being able to change them). Instead, that option won't change until the ID is updated.
Version 1.7.7 Better handling of unexpected Cloudflare API errors/problems :
- dded link for info about why each Cloudflare token permission is needed
- Updated deep links into R2 buckets to use new URL endpoint
- Suppress Cloudflare rate limit error when purging URLs from cache when guest page caching is enabled (a very high traffic site could hit API rate limits if there's a zillion posts flowing in at once)
- Better handling of situation where Cloudflare API is down/unavailable
- Cloudflare Workers that are created for the image proxy and unfurl proxy have been rewritten to be ES Modules instead of Service Workers
- Removed "Security -> Privacy Pass Support" setting (it's been deprecated by Cloudflare and is no longer used)
- Presigned URLs forcibly set Content-Type and Content-Disposition HTTP response headers (fixes situation where something like rclone set incorrect content type for the object in the R2 bucket)
- Cloudflare statistics charts on admin dashboard dynamically resize properly when resizing window
- Added ability for individual API calls to ignore multiple error codes instead of just one
- Changed FsMounts::getFsAdapters method name to FsMounts::getDpFsAdapters to avoid naming collision with XFCloud addon (will need to update FileSystem addon as well if you are using it)
- Changed wording of "API tokens & keys" to "API tokens" (no longer allowing global keys, only API tokens)
- Updated charting library (Chart.js) to 4.4.1
- Created workaround for addons being disabled during XenForo upgrades (we need to set the externalDataUrl so that the %ASSET:stylefolder% replacement var works as expected for R2 users when .less templates are compiled). Effectively we are firing our app_setup code event listener even when all addons are disabled during the upgrade process. See this thread.
- Added support for CLI tool to migrate existing data to/from internal_data/xfmg
- Added support for local-data mount point in XenForo 2.3
- Added deprecation notice for Auto-Minify setting
Version 1.8.4.1 Mostly more 2.3 compatibility changes :
- Prevent autocompletion of authentication token (saw a situation where it could be overwritten with an admin's saved password for the site)
- XenForo 2.3 compatibility:
- Fix for template issue when managing country blocking due to XF core change in 2.3 beta 6
- Fix various icons that didn't work in 2.3
- Force 2.3 to allow non-Duotone admin navigation icons
Version 1.8.5 Ability to block AI crawlers/scrapers :
- Removed Brotli compression setting (it's now always on in Cloudflare)
- Removed Minify settings (they have been deprecated and will be removed from Cloudflare soon)
- Removed Server-side Exclude setting (it has been deprecated and will be removed from Cloudflare soon)
- Added option to create Firewall Rule to block AI scrapers & crawlers
- Updated Chart.js library to 4.4.3
Version 1.8.6 Minor update :
- Removed workaround to allow non-Duotone icons in admin navigation for XenForo 2.3 (fixed in XF core)
- Added new Cloudflare setting (under Security): Replace insecure JavaScript libraries
- Changed verbiage to be worded better when setting up API token initially
Version 1.8.7 Minor/API update :
- Fixed issue with deleting a Page Cache rule (change to Cloudflare API)
- Fixed issue with changing Cloudflare settings on XenForo 2.3 (was being done with form submission instead of the intended AJAX request)
- Ignore full stat rebuilds (too many API calls [11 per day], it will be impossibly slow, and you will hit API rate limit very quickly, so it would fail anyway)
Version 1.8.8 Added new Cloudflare settings :
- Added new Cloudflare setting (under Speed): Speed Brain
- Easy Config enables Speed Brain
- Added support for setting
SSL/TLS Encryption ModetoStrict (SSL-only origin pull)(for Enterprise zones) - Added new Cloudflare setting (under SSL/TLS): Encrypted Client Hello
- Added new Cloudflare setting (under Security): Leaked credentials
Version 1.9.0.0 Adds R2 streaming & geo-location functionality :
First of all, this is a big(ish) update...
Large R2 attachments should see the download start much faster for end users (rather than downloading it fully on the server before sending it to user, it's done with streams now). Honestly not sure why I didn't do it that way to begin with, but thanks to @Chris D for pointing out mystupidity oversight. It's still going to be more performant to be using presigned URLs, so the streaming change is only if you aren't using presigned URLs or token authentication for R2 attachments.
The addon now has the ability to pick up Cloudflare geo-location info for users (or more specifically, HTTP requests). This is something I've been doing for a LONG time with internal addons (in vBulletin 3, vBulletin 4, XF1 and XF2). So this was (mostly) just merging an internal addon I already had into this one.
There are a couple new permissions that go along with this to allow user groups to see the country someone posted in a thread/sent a direct message from if you want to allow that.
User group permissions -> Forum permissions -> View country flag on posts
User group permissions -> Direct message permissions -> View country flag on messages
First of all, this is a big(ish) update...
Large R2 attachments should see the download start much faster for end users (rather than downloading it fully on the server before sending it to user, it's done with streams now). Honestly not sure why I didn't do it that way to begin with, but thanks to @Chris D for pointing out my
The addon now has the ability to pick up Cloudflare geo-location info for users (or more specifically, HTTP requests). This is something I've been doing for a LONG time with internal addons (in vBulletin 3, vBulletin 4, XF1 and XF2). So this was (mostly) just merging an internal addon I already had into this one.
- If you want this to be done just at the country-level, make sure you enable the IP Geolocation setting for your Cloudflare domain/zone.
- If you want this to be done at the region-level, make sure you enable the Add visitor location headers option for your Cloudflare domain/zone.
- If you don't want to do this at all, disable the
Log IP address locationssetting under Options -> External service providers.
There are a couple new permissions that go along with this to allow user groups to see the country someone posted in a thread/sent a direct message from if you want to allow that.
User group permissions -> Forum permissions -> View country flag on posts
User group permissions -> Direct message permissions -> View country flag on messages
- Updated charting library (Chart.js) to 4.4.7
- Fixed issue where R2 egress bandwidth info for a bucket was reporting class B operations instead of class A operations
- Updated call for attaching custom domain to R2 bucket (endpoint changed)
- Attachment contents passed to view as a stream, rather than a string
- CLI tool to migrate data will ignore files with a prefix of
local/ - Made change to CLI migration tool so that the multi-process ability is compatible with new version of Symphony (XF 2.3)
- Added new Cloudflare setting (under Security): AI Bots
- Geo-location functionality
- New option: Admin -> Options -> External service providers -> Log IP address locations
- New permission: View country flag on posts
- New permission: View country flag on messages
Yuck... sorry. This fixes it.
![[cv6] Letter Index](https://warforever.com/data/attachments/3/3750-c9b2c41b31409e9ac14be0f63a6e79a5.jpg){kind=small}
![[OzzModz] Style Statistics for XenForo](https://warforever.com/data/attachments/0/835-e88ee28dbde1a9e29276162d17333bcb.jpg){kind=small}
![[xenbros] whatsapp Chat](https://warforever.com/data/attachments/1/1138-ae30d9ddb6d63706e713145b0aad0a29.jpg){kind=small}
