[deleted]
- Edited
rob006 It's not a Captcha. It's the initial loading of the site, so no dream being spoiled. I see the session being initiated on my server.
Improving Flarum speed with Cloudflare cache
- Edited
1Dot Friend, It's great you are talking about a Flarum only but why you forget about 3rd party extensions that adds some extra js css in header
Extensions bundle their JS and CSS in one single extensions bundle, so it shouldn't be a problem. It would be interesting to find out if the performance improvement derives from static files caching or from the reverse proxy.
The fact that you let all traffic pass through Cloudflare can have advantages but also disadvantages. For example, I'm measuring TTFB through Cloudflare and outside Cloudflare and Cloudflare gives an higher value, so that means that for my particular network and connection between edge and origin it's not worth it after all. And probably for most users in my country, which is the public of my forum.
Through Cloudflare:
Lookup time: 0,001749
Connect time: 0,051389
SSL handshake time: 0,153457
Pre-Transfer time: 0,153590
Redirect time: 0,000000
Time to first byte: 0,684040
Total time: 0,802025Outside:
Lookup time: 0,000388
Connect time: 0,033664
SSL handshake time: 0,125015
Pre-Transfer time: 0,125168
Redirect time: 0,000000
Time to first byte: 0,608581
Total time: 0,716862Anyway I don't want to start a discussion 
I'm saying that adding Cloudflare just to see a very specific ranking improve, that we don't even know how it works and from where it's tested, is not enough to justify using it just because it's free IMO. It's something to consider more carefully. And I'm using Cloudflare myself as you've seen, because I've tried multiple products and ended up there for the moment.
[deleted] Application layer attacks would require the CF WAF, which isn't free.
Actually I was referring to L7 DDoS, which unfortunately on Cloudflare are mitigated only if they're very impacting. For example, if you get 100 requests per seconds Cloudflare doesn't mitigate it, although your server would be certainly KO because PHP is heavy. If you get 1000 r/s, they probably would.
My understanding is that this kind of attack is better handled by Bot Management, which is an Enterprise feature unfortunately.
[deleted]
matteocontrini My understanding is that this kind of attack is better handled by Bot Management, which is an Enterprise feature unfortunately.
Correct, but L7 in the OSI model is in fact application - the topmost tier, so the WAF ruleset would actually apply. However, you can have even a basic ruleset operating on your own host to mitigate some of this traffic at least. The free version has basic BOT detection, but you're right - you'd have to pay to get anything decent.
[deleted] I agree with you 100%
[deleted] "There's no such thing as a free lunch"
I agree with this 100000000%
@[deleted] Also a quick question as you are a big, good and specialist in security so can you please tell me is it really safe and using it is good or not?
matteocontrini Yes, I agree with you this time!
that's good to know you are also using CloudFlare.
[deleted] yes, although I'm one of those that think that application attacks should be handled in the application 
[deleted]
matteocontrini You're not alone in that thought !
- Edited
[deleted] A bit off-topic, But you forgot to hide this https://hoppyhope.org//wp-includes/wlwmanifest.xml
I seen that you hidden wp-login.php and also wp-admin then why forgot this
[deleted]
rob006 It does the same on all sites - even those without CF it seems 
and it's the same with discuss. I do get your point though - it certainly looks like a Captcha request but I can't see any matching logs at CF for my sites.
[deleted]
1Dot Because that's the Windows Live Writer file, which in retrospect is almost harmless as it will attempt to use xmlrpc, which is disabled. Obscurity is not security.
- Edited
mine is pretty bad 
[deleted]
- Edited
Justoverclock Yes, but as @rob006 pointed out, your site resolves to HTTP 200, so clearly it IS being blocked by CF (for my site at least) as a bot. What's odd though is that I can clearly see the session being built from this IP via CF to my server, so it does get through.
- Edited
Justoverclock See https://discuss.flarum.org/d/28164 and also some proof in low end server
[deleted]
1Dot Yes, but note the 403 error code. You can't rely on this site to present real figures unless you whitelist the IP address at CF. On investigation, it's being blocked by the Browser integrity check but the traffic request does make it to my server which responds.
Very odd. 100% unreliable test in this case though.
[deleted]
rob006 Very interesting. I see your site is also WordPress - impressive !
[deleted]
1Dot Phenomlab But I can see the ip accessed my server in my server logs and also screenshot is of site not that access denied.
Same here
1Dot Yes but there are a lot of differences I used that pingdom you share see what I got
Yes, but look at your load time ! Anything over 1 second these days is considered slow.