Using CloudFlare with NodeBB



  • @exodo every provider of a proper size is capable to withstand DDoS attacks.
    By the past 5 years, I had like 2 DDoS attacks overall, resulting in a 0% service interference due to proper network setup and hardware of the ISP. The longest one took 2 days by the way.


  • Plugin & Theme Dev

    @AOKP said in Using CloudFlare with NodeBB:

    @exodo every provider of a proper size is capable to withstand DDoS attacks.
    By the past 5 years, I had like 2 DDoS attacks overall, resulting in a 0% service interference due to proper network setup and hardware of the ISP. The longest one took 2 days by the way.

    That would depend on the ddos attack size. Any provider can go down and providing your ip will let that attack and futures go direct to you



  • And what CloudFlare does then?
    I mean, sure it hides my real server IP, but they do the same as my ISP and to be honest I am afraid that CloudFlare is even worse than that, due to the shared use (ISP also has shared hardware, but usually there should be less servers connected to the systems).

    If you have problems with DDoS attacks you should move to a more serious provider it seems like.


  • Community Rep

    @AOKP I couldn't agree more. I've always been confused as to what cloudflare's target market is. The only thing I can think of is people that don't know any better. I'm only using them myself because I get so many damn questions about using it.


  • Admin

    @yariplus said in Using CloudFlare with NodeBB:

    The only thing I can think of is people that don't know any better. I'm only using them myself because I get so many damn questions about using it.

    That does make sense. In a sense, CloudFlare sells "uptime-as-a-service" in response to DoS attacks, and if there's a demand for something, there's value in it. I don't see any problem with it.

    You could ask the same questions of nginx' premium service... why bother when you can configure nginx on your own (custom functionality notwithstanding...)... but it definitely is an asset if you'd rather pay them to manage your server infrastructure instead of paying somebody on your own.


  • Plugin & Theme Dev

    Recommendation

    Do NOT use cloudflare (at least not the free plan) on NodeBB when you have a moderate traffic to your forum. Cloudflare seems to silently throttle the traffic resulting in very strange NodeBB behaviour (for some clients) where the simply cut websockets.

    The throttled client will see a lot of popups "Looks like your connection to XXX Forum was lost, please wait while we try to reconnect."

    In the ngnix error log you will also see lots of:
    2017/01/25 09:56:15 [error] 13909#13909: *799654 upstream timed out (110: Connection timed out) while reading response header from upstream, client: xxxxxxxxxxxx.123, server: forum.mysensors.org, request: "GET /socket.io/?EIO=3&transport=polling&t=xxxxx&sid=xxxxxxxxx HTTP/1.1", upstream: "http://127.0.0.1:4568/socket.io/?EIO=3&transport=polling&t=xxxx&sid=xxxxxxx", host: "forum.mysensors.org", referrer: "https://forum.mysensors.org/topic/702/openhab-mqtt-example/2"

    It has been kind of hellish to find the root cause.



  • I get error:

    Session Mismatch
    It looks like your login session is no longer active, or no longer matches with the server. Please refresh this page.
    

    When I click [OK] it appears again (infinitely).

    My server config is:

    upstream io_nodes {
    ip_hash;
    server 127.0.0.1:4567;
    server 127.0.0.1:4568;
    server 127.0.0.1:4569;
    }
    
    server {
    server_name example.com;
    listen 192.168.100.42;
    listen 192.168.100.42:443 ssl;
    listen [::];
    listen [::]:443 ssl;
    ssl_certificate /home/userhomedir/ssl.cert;
    ssl_certificate_key /home/userhomedir/ssl.key;
    root /home/userhomedir/public_html;
    index index.html index.htm index.php;
    access_log /var/log/virtualmin/example.com_access_log;
    error_log /var/log/virtualmin/example.com_error_log;
    
    if ($scheme = http) {
    return 301 https://$server_name$request_uri;
    }
    
    #  if ($host ~ ^www\.) {
    #     return 301 https://example.com$request_uri;
    #  }
    
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_redirect off;
    
    # https://github.com/NodeBB/NodeBB/issues/4734
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # Socket.io Support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    
    gzip            on;
    gzip_min_length 1000;
    gzip_proxied    off;
    gzip_types      text/plain application/xml text/javascript application/javascript application/x-javascript text/css application/json;
    
    location @nodebb {
    proxy_pass http://io_nodes;
    }
    
    location ~ ^/(images|language|sounds|templates|uploads|vendor|src\/modules|nodebb\.min\.js|stylesheet\.css|admin\.css) {
    root /home/usernodebb/nodebb/public;
    try_files $uri $uri/ @nodebb;
    }
    
    location / {
    proxy_pass http://io_nodes;       
    }    
    
    } # end of server example.com
    
    
    server {
    server_name live.example.com;
    listen 192.168.100.42:443 ssl;
    listen [::]:443 ssl;
    ssl_certificate /home/userhomedir/ssl.cert;
    ssl_certificate_key /home/userhomedir/ssl.key;
    access_log /var/log/virtualmin/live.example.com_access_log;
    error_log /var/log/virtualmin/live.example.com_error_log;
    
    location / {
    
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_redirect off;
    
    # https://github.com/NodeBB/NodeBB/issues/4734
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # Socket.io Support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    gzip            on;
    gzip_min_length 1000;
    gzip_proxied    off;
    gzip_types      text/plain application/xml text/javascript application/javascript application/x-javascript text/css application/json;
    
    proxy_pass http://io_nodes;
    
    } # end of location block
    
    } # end of server live.example.com
    

    My config.json is:

    {
        "url": "https://example.com",
        "port": [4567,4568,4569],
        "bind_address": "127.0.0.1",
        "secret": "<hehehe>",
        "database": "mongo",
        "socket.io": {
            "transports": ["websocket", "polling"],
            "address": "live.example.com"
        },
        "mongo": {
            "host": "127.0.0.1",
            "port": "27017",
            "username": "nodebb",
            "password": "<hehehe>",
            "database": "nodebb"
        },
        "redis": {
            "host":"127.0.0.1",
            "port":"6379",
            "password":"<hehehe>",
            "database": 0
        }
    }
    

    It is not working the same way also if I change

        "socket.io": {
            "transports": ["websocket", "polling"],
            "address": "live.example.com"
        },
    

    to

        "socket.io": {
            "transports": ["websocket", "polling"],
            "address": "https://live.example.com"
        },
    

    I tried first to visit https://live.example.com first and then https://example.com. This way I don't see the error message. However, when I delete all of the browser cookies and visit https://example.com directly - it shows the same error.

    When I visit https://live.example.com/ it did not show the error message, however I don't want visitors to use the subdomain to access the website (because this way caching of images by CloudFlare/Incapsula will not work).

    Tried to downgrade socket.io - no effect.

    Reported here: https://github.com/NodeBB/NodeBB/issues/5430



  • I made it to work.

    I tried to post more details here, but I got error:

    Error
    
    Post content was flagged as spam by Akismet.com
    

    Here is my original post: http://pastebin.com/5s9jUe6N

    Also, Pastebin gave me similar error and I needed to solve a captcha...


  • Admin

    @vstoykov Hm, that is quite interesting, so you need to manually set cookieDomain to .example.com with the leading period for it to work? I was always under the impression that it was optional...



  • Fyi I simply replaced

    proxy_set_header X-Forwarded-Proto $scheme;
    

    by

    proxy_set_header X-Forwarded-Proto https;
    

    in my Nginx config, to make my NodeBB work with CloudFlare, since I am using their automatic SSL certificate (my server receives HTTP requests then, not HTTPS).

    Hope this helps 🙂



  • So based on what I'm reading and after trying every combination of settings I can find, it seems like not using cloudflare ( at least the free plan). But given that there are people that will DDoS a site "just cause" is there a way to force the downgrade ?

    I'd like to add that even after disabling cloudflare I still seem to be having socket io issues.

    "GET /socket.io/?EIO=3&transport=polling&t=LlpXxXp HTTP/1.1" 400 23



  • @wolfman2g1 honestly CloudFlare is pretty senseless regarding DDoS protection. With a proper host the chance of a DDoS is close to 0. I am running a top 100K Alexa site without CloudFlare protection (just DNS for faster resolving) and never ran into any issues in the past 4 years.



  • @AOKP
    I think I'm fine with not using cloudflare. At the moment I'm just trying to get the site stable. I'm still getting disconnects even without using Cloudflare.


  • Swedes

    Seams to work great with cloudflare for me 🙂 I like the ssl support and DNS gui. But i guess I would not die without it 😛



  • @Jenkler Are you using ssl between your server and cloud flare?


  • Swedes

    Yes I do 😉 check out nodebb.se for usecase! Plz notify me if something seams broken! I am using Cloudflares own certs.



  • @Jenkler looks great man. I'm still trying to understand why I'm getting 400 errors for socket io.


  • Swedes

    I guess you have som configuration issues in nginx!

    Here is my config! Maybe this will help you 😉

    Server block

            server
            {
                    listen 443 ssl;
                    location @nodebb
                    {
                            proxy_pass http://www-nodebb-se:4567;
                    }
                    location ~ ^\/assets\/(.*)
                    {
                            root /server/nodejs/nodebb.se/www/;
                            try_files /build/public/$1 /public/$1 @nodebb;
                    }
                    location /plugins/
                    {
                            root /server/nodejs/nodebb.se/www/build/public/;
                            try_files $uri @nodebb;
                    }
                    location /
                    {
                            proxy_pass http://www-nodebb-se:4567;
                    }
                    proxy_http_version 1.1;
                    proxy_redirect off;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header Host $http_host;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_set_header X-Real-IP $remote_addr;
    
                    server_name nodebb.se www.nodebb.se;
                    ssl_certificate /server/nginx/ssl/nodebb.se.crt;
                    ssl_certificate_key /server/nginx/ssl/nodebb.se.key;
    
                    if ($host != 'www.nodebb.se')
                    {
                            rewrite ^/(.*)$ https://www.nodebb.se/$1 permanent;
                    }
            }
    
    

    Global block

          ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
            ssl_prefer_server_ciphers on;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout 10m;
    

    BTW, if someone know any tweeks please advice 😛 And plz explain why!




Star

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.