The biggest issue anyone is going to have is with the IPS's since all IP's will be Cloudlfare IP's. Ideally you restore them at the server level using mod_remoteip or whatever else will do it. This insures the original IP is used for logs, web application like phpBB etc. Unfortunately if you are on shared hosting this is not something you can install and configure yourself. There is an extension for phpBB for this but it only affects the IP's used by phpBB.
*Since image attachments are served through a php script with phpBB these are not cached but you could create a rule to cache them. Just be aware this removes any permissions, e.g. files in private forums and PM's are made public. Minimally you can safely cache avatars. Under Cache rules
Additionally if you have access to the firewall you block ports 80 and 443 for all IP's except CF IP's. This does two things. If the IP is exposed it will help mitigate any attacks directly against the IP. It also helps prevent exposing it in the first place. If you have a determined attacker and they know who your host is they will run a bot across the entire IP range making requests for unique files that can can only be served by your domain.
You are losing part of the functionality, the default cache settings will work fine. They only cache static files like images*, JS, CSS etc. It's less than what a browser would cache because they will not cache HTML or PHP files regardless of the cache header. When you update phpBB you should clear Cloudflares cache so that any changes to files will immediately be be re-cached, In particular CSS and JS.I've set a page rule that stops CloudFlare from caching anything on my phpBB board.
*Since image attachments are served through a php script with phpBB these are not cached but you could create a rule to cache them. Just be aware this removes any permissions, e.g. files in private forums and PM's are made public. Minimally you can safely cache avatars. Under Cache rules
URI contains /download/file.php?avatar=, make it eligible for the cache.If you want true DDoS protection there is more involved. You need to protect the origin IP which can be exposed in many ways. In a true DDoS they are going to try and determine the origin IP and once they know it they will just use local DNS directly attacking the IP. The IP can be exposed with email, remote avatar uploads or anything else of that nature.This approach lets you leverage their bot and DDoS protection
Additionally if you have access to the firewall you block ports 80 and 443 for all IP's except CF IP's. This does two things. If the IP is exposed it will help mitigate any attacks directly against the IP. It also helps prevent exposing it in the first place. If you have a determined attacker and they know who your host is they will run a bot across the entire IP range making requests for unique files that can can only be served by your domain.
Statistics: Posted by thecoalman — Sat Jan 27, 2024 3:06 am