Does s2 work with Cloudflare

strictly-software
(@strictly-software)

9 years, 7 months ago

I searched the notes for s2 member but cannot see whether your site works with Cloudflare or not.

I have the site behind cloudflare with a “backdoor” subdomain – should this be used in all my urls for payments etc.

I did write an earlier post about members not being knocked off or demoted when their EOT time is up. I just had to take 20+ off manually. So maybe Cloudflare OR their use of sharing IP addresses which hides the real identity of the user could be a BIG problem for your tool. I do know that 200 status codes were being returned for “cancellation” IPN messages but that the user was not being cancelled and could still access the site!

I am wondering (as the times seem to co-inside with when I installed Cloudflare for the site) that maybe your plugin doesn’t work with Cloudflare which is a tool for caching users and I am wondering whether if you don’t install the module they recommend to return original client IPs to the user (so clouflare front end proxy IPs) are used for all visits, then people won’t be recognized by IP etc and therefore further issues are caused.

Maybe a “test” button to check whether the site is behind Cloudflare, is not blocking blank user-agents (as I found caused problems due to PayPals HTTP payment responses using NO user-agent) and other issues could be tested for on installation. I block blank user-agents as many script kiddies and hackers don’t bother setting them so it saves me bandwidth.

I only just managed to get Cloudflares module working to return the original clientIP back to the user in access logs as for a month or two (during the no knocking off period) they were not being restored.

I will have to see if any new members get kicked off when they should but maybe it might be something you should mention to users. There are probably other tools about that proxify IP’s for cache purposes so maybe you need to warn s2 members about this potential problem.

It would be something to look into and let me know if you already DO whether I should be using the “bypass” sub domain for certain HTTP requests so they don’t go through Cloudflare at all.

Any help would be great.

Thanks

https://wordpress.org/plugins/s2member/

Viewing 2 replies - 1 through 2 (of 2 total)

KTS915
(@kts915)

9 years, 7 months ago

The latest I can find on this is here.

If it’s still true — it’s from 2012 — the answer to your question is no.

Thread Starter strictly-software
(@strictly-software)

9 years, 7 months ago

Hi

I think that KB article needs to be updated with my earlier comments on the first post.

Cloudlare introduce a number of modules that restore the original visitors IP addresses in the log files so that they don’t all come through the reverse proxy IP addresses. The problem only seems to have been running SINCE I had Cloudflare installed but I have only just recently installed the modules to return the orig user IP addresses.

This might solve the issues especially with Brute Force, Login Limits, and anything to do with IP addresses being shared.

I have posted two links from CloudFlares own site on the subject on how to restore IP addresses.

https://support.cloudflare.com/hc/en-us/articles/200170836-How-do-I-restore-original-visitor-IP-to-Apache-Web-Servers-

https://www.cloudflare.com/resources-downloads

Thanks

Rob

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Does s2 work with Cloudflare’ is closed to new replies.

Tags