Free Flarum hosting on an expert platform by FreeFlarum.com

Yolo

SKevo This will be resolved in the following weeks when I upgrade FreeFlarum with more RAM

Please!
All Services Offline again

raphael

Hello,

I have an issue, I should have made a mistake with reaction extension, as I can’t access it anymore.
Furthermore, it seems to generate display issues inside my forum (at least, I guess it’s related)

My forum id is solarislacs, please can you reset or unactivate reation extension?

SKevo

raphael done, I've disabled reactions for you.

tom23 does your forum work now?

Hello everyone! Once again, I am writing a rather longer message to communicate the current state of FreeFlarum with you.

As you might already know, FreeFlarum has been experiencing several outages over the past few days. First of all, I sincerely thank everyone for reporting this to me, either in this discussion or through e-mail - similarly, thank you for being patient while I work on improving things for everyone.

Initially, these outages came as no huge surprise to me, given that the amount of online forums is now at its historical peak - 4 891 forums are online! Before this milestone, I believed that the limit sit at around 3 000 online forums, as this was the limit around which things started to break. This proves that the upgrades that I rolled out last September were efficient, as it allowed for approximately 1 900 more forums to be hosted on the same hardware, without any additional expenses.

However, even these improvements won't be sufficient permanently. Disk usage sits at around 95 % right now - despite me cleaning up some inactive forums, some of them later asked to be reactivated. Obviously, there's nothing wrong with that - I just mean that this proves that as time moves on, more forums are being registered, and the number of active forums grows with that as well.

But now for the more unfortunate news. It has recently come to my attention that FreeFlarum was caught in a DDoS attack, which rapidly contributed to these downtimes. This was possible because FreeFlarum did not proxy forums through Cloudflare, otherwise linking forums through custom domain wouldn't be possible per their "CNAME Cross-User Banned" policy. I have now mitigated this by enabling Cloudflare at least for all forums hosted under the .flarum.cloud domain (which is the vast majority), as this domain is not required to be CNAMEd to during the domain linking process. I also tried my luck by enabling it for .freeflarum.com to see if it somehow functions with FreeFlarum's CNAME setup, but it didn't (hence some forums were not available for some time).

As I have never witnessed a DDoS attack of similar scale at FreeFlarum before, the existing configuration to mitigate such issues was sadly not tested enough, nor was it efficient. It seems odd to me what ambitions do such people have when it comes to these attacks, and what do they have from it? Anyways, just to clarify: no data was stolen or otherwise transferred from the server during the attack - it was just a matter of someone utilizing an online DDoS service to flood the FreeFlarum server with hundreds of spam requests to bring the RAM usage to critical point. And at that point, the webserver was killed by being out-of-memory - hence the downtime (which lasted until the webserver was restarted). I will not get way too technical about this. But at least it wasn't all for nothing. This attack showed me where FreeFlarum's security lacks attention, and how should I improve it in the next upgrade.

Speaking of upgrades, as I might've mentioned before, I am currently in the process of updating the FreeFlarum codebase, and I will migrate it to a server with better hardware and more disk space soon. While such move will also introduce higher monthly charges to keep the server running, I believe that this will be for the greater good and to make the service more available for everyone. And at this point, I would like to thank all donors for donating to FreeFlarum - it means a lot to me, and I couldn't be more grateful to you - you all are the reason that this service exists in the first place.

I will now share some of the upcoming changes that I've been thinking about, namely:

removing unused/underused features (such as database templates during forum creation);
updating the database model (so that I can keep track of historical records for donations and forum removals - currently, the data is shown in the present, as-is)
switching to other donation service (Open Collective? Patreon?)
making the documentation clearer (finally finally?)
synchronizing the multitenant GitHub repository - move extension requests here, for automated and transparent extension inclusion
better status page
more quality of life improvements under the hood...

Overall, this update is less complex than the last year's one, so it should go a lot smoother, I hope. Unfortunately, due to me working on the project in my spare time, I am unable to give you an exact date of the release, and with that also any specific downtime date (there will surely be some outage), however I will obviously make sure to inform you all of it here as soon as possible, after I finish what needs to be done.

Lastly, as always, if you notice anything out of the ordinary, then please let me know - either via info@freeflarum.com or directly in this thread. If it's something that is related to your forum, then please share your forum URL too. But generic suggestions and feedback is very appreciated too :)

tom23

My site is also down.
Error: Secure connection failed

tom23

SKevo does your forum work now?

It worked again, but now I can't get to the site again.

Jason-FaWoWa

SKevo Attacking a free service must be a great achievement.

Maybe it would be a solution to release all the related code. I think given the size of your service, there will be a relevant group willing to spend time improving it.

Regarding DDoS, eBPF could offer a way to block attacks without wasting too many resources. Depending on the layer used to attack the server. It could also help to strictly limit the resources a forum could use. This could be archived with containers, but also with pure resource limits (possibly limited by the process structure). This way, an attack on one forum does not affect the others.

Yolo

@SKevo Connection timed out Error code 522

Trc4

@SKevo Downtime @ Weekend 🙁
hope you get the tech fix that freeflarum will be great again.

Steve33

@SKevo all Services down

SKevo

I just woke up to this:

I apologize for the downtime. Looks like I'll have to strengthen the protection ASAP

Yanke_233

I am a user in Chinese Mainland. I just saw this post. Half an hour ago, I was discussing whether FreeFlarum had run away (after all, it was free) in the QQ group. I hope FreeFlarum can strengthen its protection capabilities against DDOS, otherwise FreeFlarum will definitely lose many high-quality users.

Yanke_233

Yanke_233 Forgot a sentence: Thank you to FreeFlarum for providing us with user maintenance at this time. We are now at noon. Because there is a time difference.

arteteco

Hi everyone, is everything ok as of now? I have an SSL error

This site can’t provide a secure connection

forum.asnuaps.it uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

SKevo

arteteco yes, I've made some small experiments regarding DNS for *.freeflarum.com, which could've broken some custom domains. Are you using Cloudflare by any chance? I've reverted these changes now, so your forum should work

arteteco

SKevo works as a charm, thank you!

oontsa

Hi, I got an error when trying to access my forum faq.cyberguard.kz
Error is 1014 cname cross-user banned. Can you make an exclusion to my website please

SKevo

oontsa hi, your forum CNAMEs to .flarum.cloud, which is now proxied as I mentioned above

According to the docs, the correct way is to CNAME to .freeflarum.com. Please, update your CNAME record to use that instead, then your forum should work

FYI this system will change in the future, as *.freeflarum.com will be proxied too and custom domains will need to be updated. But all will be announced later

Nziie

Is there a way I can make users only be able to login with an Oauth but give them the option to choose between multiple? Like I want users to only be able to sign up and login using Google and Twitter.

SKevo

Nziie AFAIK, using "Third Party Login Only" extension and configuring multiple FoF OAuth providers should work

Nziie

SKevo The “Third party log only” is just a url to redirect to, so it doesn’t support multiple. I just want the “Email/Username” and “Password” fields to be removed from both modals.

« Previous Page Next Page »