Using CloudFlare with NodeBB

lenovouser

Info: I am doing this small tutorial here to show you guys how to use NodeBB and CloudFlare proxying while still using WebSockets since lots of people seem to look for it. I already posted a small explanation here, but people don't seem to find it / have problems - I added some extra explanation to this so that you can avoid the problems other people had.

NodeBB version: Should work with any, tested with v0.7.x and v0.9.x

So. Basically what we're going to do is routing the WebSocket requests around CloudFlare while keeping the forum itself behind CloudFlare.

Disclaimer:

If you do this your root server is in general open to the public again. If you depend on CloudFlare's DDoS protection this will make it kind of useless. People who know what they are doing will be able to take your forum down quick if your root server has no own DDoS protection. DigitalOcean e.g. has none / I know of people who had their IP's nullrouted when being DDoS'ed at DigitalOcean.

Things you will have to replace in the following code snippets:

<domain.tld> -> your domain (e.g. `nodebb.org`)
<your.crt>   -> the path to your ssl certificate  (e.g. /home/ssl/org.nodebb.crt)
<your.key>   -> the path to your ssl private key (e.g. /home/ssl/org.nodebb.key). This key was generated by yourself when you created your certificate sign request / .csr
<port>       -> your NodeBB port
<0.0.0.0>    -> your IPv4 address
<00:0000:0000:0000:0000:0000:0000:0000>` -> your IPv6 address in case you have one

CloudFlare:

Create these DNS records with grey clouds, which means you disable CF proxying:

A live.<domain.tld> <000.000.000.000>
AAAA live.<domain.tld> <0000:0000:0000:0000:0000:0000:0000:0000>

NodeBB:

We will configure NodeBB to route the WebSocket requests over the subdomain by adding this to our config.json:

"socket.io": {
    "transports": ["websocket", "polling"],
    "address": "live.<domain.tld>"
}

Please make sure you add a comma to the element before "socket.io", otherwise it will be invalid JSON. Also paste the config in the JSON validator just to be sure the whole config is intact.

NGINX:

Get a free SSL certificate from Let's Encrypt or StartCom, and add this new server block to your NGINX configuration:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl_certificate <your.crt>;
    ssl_certificate_key <your.key>;
    server_name live.<domain.tld>;
    location / {
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host            $http_host;
        proxy_set_header X-NginX-Proxy   true;
        proxy_set_header Upgrade         $http_upgrade;
        proxy_set_header Connection      "upgrade";
        proxy_redirect                   off;
        proxy_http_version               1.1;
        proxy_pass                       http://localhost:<port>;
    }
}

Make sure that:

your ssl certificate is valid and includes your subdomain live.domain.tld
you have at least 2 server blocks now in your NGINX configuration.

Then run service nginx configtest to validate your new configuration. If it succeeds you can reload NGINX by using service nginx reload

And now you're done. Pretty simple. Hope this helps somebody using NodeBB.

In case something shouldn't be working please provide an error message, your NodeBB config without credentials / secrets and the NGINX server blocks .

? Offline

Awesome tutorial. I can remember this being asked pretty frequently (once every other week) when I first started working with NodeBB.

? Offline

So my takeaway from this is that I can use CloudFlare's CDN functionality and route the websockets (which cannot be used on the CloudFlare free plan) around CF so that any image resources on my site can be served from CloudFlare. Correct?

lenovouser

@ThingBreaker Exactly Only the websockets directly connect to your server. The rest is connecting over CloudFlare.

? Offline

@lenovouser, excellent! That was my first takeaway - but thought I'd get a plain restatement for anyone who reads this and might be newer to working with a CDN.

nanjusoil

This post is deleted!

nanjusoil

@lenovouser
Can you share how you dealt with DDOS?
Thanks

? Offline

@nanjusoil you can always look into web traffic filtering, traffic shaping, and using a DDoS protected host.

harryptx

@nanjusoil I think if you integrated Cloudfare then you can handle DDOS or go with their premium package.

hieudang

Thank you . Currently I'm using Incapsula(they supported websocket in freetier) instead CloudFlare

jarey

@hieudang said:

Thank you . Currently I'm using Incapsula(they supported websocket in freetier) instead CloudFlare

@hieudang umm interesting, maybe you could write a little tutorial using incapsula, tellong a little more what are the advantages over using vloudflare in the free plan and the steps needed to configure their system with nodebb.

? Offline

@hieudang but not TLS/SSL.

hieudang

@jarey

Just add to Incapsula as normal, but I don't run this case in production, only for testing.

@AOKP You require too much on freetie =))

But if you want, you can try crazy scenario

YourNodeBBServer-->Incapsula-->CloudFlare Universal SSL

Still work with my site
You can check here: https://forum.handcode.net

lenovouser

@hieudang Even though this seems to work, it definitely makes no sense to create what you did. Everything is going to CloudFlare anyway in your case. The only difference is that there is one more middleman where CloudFlare get's the data for your website from. There will be no speed improvement if you do this.

hieudang

@lenovouser Offcourse, that's why I only use for testing and I say "crazy".
I emphasize "There ain't no such thing as a free lunch".
Someone want cdn, antiddos, ssl more and more but FREE.
Hell no

? Offline

@hieudang I want none of these, except CloudFlare's caching and minify tools.

lenovouser

@hieudang I understand what you are trying to say, even though CloudFlare does provide all of these 3 things for free. But I don't want to turn this into a Incapsula vs. CloudFlare topic, I think we could create a new one for this in the Discussion category

? Offline

@lenovouser by the way. How would the configs have to look like, if your forum was installed in a folder, e.g. /forum?

lenovouser

@AOKP I can create a more easier to understand tutorial later, but here is how it looks for Minora at the moment. (Which is what I think you mean)

Here are our current config files, just copied it out. I think the needed information is in there, don't worry about the includes. That's just part of our structure.

NGINX: https://git.minora.io/snippets/1
NodeBB: https://git.minora.io/snippets/2

hieudang

@AOKP As far as I know, Incapsula supported caching and minify tools
@all Sorry for off-topic, just for fun
OK, back to topic, how many method can I use CloudFlare with NodeBB?

1. Follow lenovouser , but your IP will not be hidden.

1. Upgrade to Enterprise CloudFlare Plan a lot of money
1. Use middleman as I said, I'm not sure it will work fine. (IP blacklist...)
1. Could you guys split one server to listen socket.io? one will serve others request, so we can hide main IP
1. ???? I'm thinking...