PHPBb - Cloudflare blocking login

Just recently (since about March 3 2021), users have been unable to login to my phpbb site.
I went through all the motions
Restore backup, ensure cache disabled, clearing all browser cookies/cache. All extensions disabled.

I had a page rule to disable Cache (Cloudflare page rulel), and I tried a a page rule (#1) to disable Security, Performance, and Apps.
Still had the problem.
The ONLY thing that has resolved the problem is to DISABLE Cloudflare on my site. If I reenable it, the problem returns. Like clockwork.

It is as if Cloudflare is ignoring page rules. PHPBB is a dynamic platform, But do like (before this happened) to have WAF and other non cache enabled.

If I can’t resolve this, then Cloudflare may become a boat anchor as I can’t use it for anything but DNS Proxy.
Any Ideas?

Hi @billd,

Can you give some more details on exactly what is failing with Cloudflare enabled?

What are the users seeing when it doesn’t work, and what do you see on the server side?

Sure
When a user goes to the Login page. They enter a valid user name and password.
The system will “think about” it for a second and then redisplay the login page with no errors
This happens at the main login landing page and if you try to use the “/ucp.php?mode=login” option.

phpBB logs (after I disable Cloudflare and am able to login) show no errors.
Nor does the main front end webpage errorlog

Tried disabling all CloudFlare on the forum directory tree, no impact. I did clear all Cloudflare, phpBB, and Browser caches in between each test.
Only completely disabling Cloudflare allows the forum to work properly.

As a stopgap measure, I have locally installed WAF to compensate for the loss of Cloudflare services. But I’d much rather have this at the front end.

Can you check what does the log file of tried login attempts say? Which IP you have? Maybe all the visitors have the same “Cloudflare IP” showing up instead of their own, so the system is confused?

All Ip’s are unique.
I test this myself with VPN and come in from various countries.

When I login as admin, the IP address in the Admin logs correctly reflect my origination IP.
This is also reflected on the user logs.

In theory, I should be able to get at least one login successfully if the IP was duplicated. But it is not.

Example in the logs, Feb to Mar3 is prior to the problem starting. I log logs after that when restoring the site to attempt fixing it on the host end.

image

What version of phpBB are you running?
And the phpBB is running on HTTPS (443 port) right?
Do you have Full SSL enabled?
Do you access or login at your phpBB with or without www prefix (sub-domain)

Can the Cloudflare WAF, or if you use Managed Rules for phpBB maybe? Maybe they were blocking some requests passing?

I force https at the board level.
In Cloudflare I did have that enabled until I had to disable it. I like to have layered protection where I can get it.

login is <private.url>/forums
Or <**>/forums/index.php

I cannot turn Cloudflare on at all. Even with only WAF enabled, it flat out breaks the site login capability.
Without it, works fine.

I do not have “Managed Rules” on the board. At least not yet. :slight_smile:
I am using the WordPress WP Cerber right now at the host level (backend). It’s up and working now.
It was working before and I do use the WP Cerber Cloudflare plugin as well.

image

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.