xF2 Add-on [DigitalPoint] Cloudflare 1.5.2

• More tuning of logic for when to do guest page caching
• Made change so other addons that are also extending the filesystem mount class are able to do so with backward compatibility
• Fixed cosmetic issue with overflow of R2 logs in overlay window
• Prevent users from using the same bucket for public and private areas (prevent users from exposing internal-data as a public bucket)
• Added note about style, language and advanced cookie consent in XF 2.2.12+ to known limitations for guest page caching

• Made some minor changes to the logic of when to serve cached pages or not (Guest page caching)
• If a session is empty (like when a user logs out), go ahead and fully expunge it
• Made some changes to R2 adapter so it could be configured for extra directories via config.php
• Added some code to work around XenForo not updating CSRF token in URLs (this bug report)

IMPORTANT for existing users: The new R2 functions and control of new settings require some new permissions for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the following permissions:

• Account.Account Analytics: Read
• Account.Workers R2 Storage: Edit
• Zone.Bot Management: Edit
• Zone.Cache Rules: Edit

You should have a total of 14 permissions for your API token at this point. If you don't have 14, you can check what you should have under XF Admin -> Options -> External service providers -> Cloudflare authentication

General

• Fixed issue with compatibility with old versions of PHP.
• Requires PHP 7.0 or higher (just getting too annoying/difficult to maintain backward compatibility with very old versions of PHP on old versions of XenForo).
• New Cloudflare setting: Network error logging
• Bot Fight Mode, Automatic Signed Exchanges (SXGs) & AMP Real URL settings can be used with API tokens now (before you had to use Global API keys to access those settings).
• Added note about changing Worker subdomain.
• New option for country blocking allows blocking to apply to entire site or just registration.
• Make it so XenForo's FsMount class can disable asserts on a per-adapter basis (makes filesystem faster and cuts R2 API calls in half because we don't need to explicitly check if an object exists before we try to get it).
• Changed verbiage reflect Cloudflare's change of "firewall filter rules" to simply "firewall rules".
• Cloudflare API calls that return a server error code (5xx) will transparently retry once before giving up.

R2 (object storage)

• R2 support (yay!)
• R2 requires use of an API token (can't use Global API key, no way around that).
• Internally caching Cloudflare account ID, so we don't need to make API call to get it over and over (account ID normally never changes).
• Internally caching API token ID (required for R2 usage).
• New CLI command to migrate data between two different abstracted filesystems: php cmd.php dp:migrate-data [--new-to-old] [--processes=PROCESSES] [--start-at-path=START-AT-PATH] [--location=LOCATION] [--path=PATH]
• Can see R2 storage/usage for Cloudflare account as a whole (in footer of R2 admin area).
• Can see recent R2 logs (for individual buckets as well as Cloudflare account-level).

What is R2? R2 is a cloud object storage system. This add-on allows you to store things like avatars and attachments in the cloud rather than your server. The cost to use R2 is extremely reasonable... the first 10GB of storage is free, each GB after 10GB is $0.015 per month. For example, if you had 100GB of attachments and avatars you wanted to store in R2, the cost would would be $1.35 per month.

I've built a CLI tool to migrate data from one file system to another (for example you could go from local storage to R2 with it), however it needs to work within the limitations of XenForo and Flysystem. Which means, if you need to move more than a few GB worth of files, you are going to be better off using a free utility like rclone to do it.

This adds some functionality to Cloudflare's Turnstile captcha option added to XenForo 2.2.12.

IMPORTANT for existing users: The new Turnstile functions require a new permission for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the Account.Turnstile: Edit permission.


One-click Turnstile site creation

You can automatically set up Turnstile for your site without going to Cloudflare's site with a "Setup in Cloudflare" button:

Buttons for direct links to Settings and Analytics

Once Turnstile is setup for your site, you will get new Settings and Analytics buttons that give you direct links to manage/report on your Turnstile site within Cloudflare.

Minor update...

• Give human-readable error when the domain/zone does not exist on Cloudflare account when trying to work with it.

• Handling of Access policy creation when some admins have no email address.
• Better handling of favicons when using unfurl proxy and destination is using relative favicons.

• Removed stray variable in a tooltip
• Fixed issue where setting values considered "good" when disabled would show the opposite value for their setting (things like Development Mode and Rocket Loader which are considered "good" when disabled)

The option to Force registration challenge added in version 1.1.1 has been extended to optionally apply to the contact form as well. If you already created the managed challenge for registrations you can click the option again to toggle on/off the contact form option (it will update the existing rule).

Using Cloudflare Workers as an image proxy was added in version 1.1.0. Now you can also use Cloudflare Workers as an unfurl proxy to further hide the origin server's IP address.

• New User registration option: Registration form is an overlay
• Added ability to auto-configure Cloudflare firewall filter rule to force new registrations to go through managed challenge (helps mitigate automated spam registrations)
• Adds 24 solve rate metrics for firewall filter rules (needs new "Zone.Analytics: Read" permission)

IMPORTANT for existing users: The new solve rate metric requires a new permission for the API Token you use. You can go to your Cloudflare API Tokens, edit the token you have and add the Zone.Analytics: Read permission.

• Ability to use a Cloudflare Worker as a backend image proxy to hide the origin server's IP address when XenForo's image proxy fetches the image
• Some minor cosmetic tweaks to Cloudflare lists of things in admin area

IMPORTANT for existing users: The setup of the Cloudflare Workers image proxy system requires a new permission for the API Token you use, you can go to your Cloudflare API Tokens, edit the token you have and add the Account.Workers Scripts: Edit permission.

This gives you an easy/fast/reliable/free way to hide your server's origin IP from someone trying to get it for malicious purposes.