Moodle in English: Cloudflare configuration on Moodle.org

Cloudflare configuration on Moodle.org

by Cathal O'Riordan - Thursday, November 19, 2015, 10:55 PM

Hi all,

I've seen it mentioned in other Forum posts that Moodle.org is using the CloudFlare service, and has been for some time. This is great! I've been working with it for a little while with a view to rolling it out onto my institutes Moodle site.

I think it would be really helpful if we had some kind of write up from those involved at the Moodle.org side on their experiences in working with CloudFlare, the pitfalls they've run into, best practices to follow etc. I think this would be immensely beneficial to many of us Moodle admins who want to find ways to 'bullet-proof' their sites, especially in this environment of increasingly frequent cyber-attacks. Who else would like to see this published? Show of hands ...

Re: Cloudflare configuration on Moodle.org

by Cathal O'Riordan - Saturday, November 21, 2015, 12:25 AM

The level of response is overwhelming

Tumbleweed!

Average of ratings: -

Re: Cloudflare configuration on Moodle.org

by Usman Asar - Saturday, November 21, 2015, 1:11 AM

Hi Cathal,

I was actually waiting for someone to comment from the moodle.org's as you mentioned asking for site admins putting their experiences, I have used CloudFlare together with Incapsula and Google Page Speed (Now retired), not for the reasons of security as since I have started using Moodle back in 2009, I havent heard one case of security breach in Moodle, but for performance reasons and have found CloudFlare working very well even with beta features (Rocket Loader) turned on, where they did mentioned if it shows issues can be turned off.

I was just thinking a day before your post arrived, Moodle may will not be able to make full use of CloudFlare in terms of caching as CloudFlare's servers does only cache files that are in public_html/wwwroot, anything outside may will not be cached and essentially all files that are uploaded in moodle goes to moodledata folder that is effectively outside of public_html folder.

In terms of security, I had always kept it essentially turned off for I have seen sometimes Ukranian search engine bots (yandex) are blocked plus a few around, but they didnt and never imposed any threat to website, and regards to that I have already mentioned no case heard of moodle being hacked (Kudos to weekly updates to Moodle)

I can say, the use of CF's security where your core server isn't hardened properly, plus those web scripts that are highly used as per statistics (Like WordPress), so putting tight security using CF on a wordpress site makes more sense to me.

Rest if you want to use CF for performance purposes, then surely its recommended.

Average of ratings: -

Re: Cloudflare configuration on Moodle.org

by Cathal O'Riordan - Monday, November 23, 2015, 5:40 AM

Hi Usman,

Thanks for replying. What I'm mainly interested in is understanding where Cloudflare would sit "architecturally" within a typical Moodle instance. Without going into too much detail now, our Moodle site runs with a couple of existing load balancers. I'm wondering if I introduce Cloudflare, do these now become unnecessary?

Cloudflare certainly looks very straightforward to set up, and to date, I've had some success in configuring it for a very simple Moodle site. Beyond that, I'm unsure. Hence the reason for reaching out and looking for guidance from those who are using it successfully.

Once again, thanks for your response. You've been very helpful to me in your previous responses to other threads I've started on this topic.

Cathal.

Average of ratings: -

Re: Cloudflare configuration on Moodle.org

by Usman Asar - Monday, November 23, 2015, 3:29 PM

Hello Cathal,

Setting up CloudFlare wont effect the need of load balancers as it only cache's certain types of files (Images, documents, pdf's etc) and not the database files, where need of load balancer comes into place where you have load on server to compensate for users coming in and this load is actually generated by database and application server, and cloudflare does not effect any of these. if you have loads of images and downloadable document files on your moodle, then there will be saving of bandwidth and reduction of page size for sure (as it optimizes code as well).

There has been a recent case where a fellow Moodler came up with his concern for slow site (I'll manage to find actual post later), but he did his test of Moodle site using GTMatrix showing poor result, where actual scoring being poor never effects the popularity of site, but what I was concerned for his page load time and rendering size, I recommended CloudFlare as quickest and most feasible solution without spending a penny and here are the results

Before CloudFlare: Link Here - Notice Page Load Time and Size

After CloudFlare: Link Here - Again compare page load time and size

So one can surely expect page load performance from CloudFlare, but part of application server and database server still relies on the actual origin server.

Average of ratings: -

Re: Cloudflare configuration on Moodle.org

by Howard Miller - Saturday, November 21, 2015, 6:02 PM

I don't speak for them but Moodle HQ tend not to comment on such things.

Average of ratings: -

Re: Cloudflare configuration on Moodle.org

by Cathal O'Riordan - Monday, November 23, 2015, 5:31 AM

I'm mainly interested in using Cloudflare for its ability to detect and fend off attacks on websites. Yes, the CDN aspect of Cloudflare is interesting too, but not a priority for me right now.

Regarding Moodle HQ, if its something that could directly benefit others who are intending on employing it in their Moodle stack, why not share experiences?

Average of ratings: -

Re: Cloudflare configuration on Moodle.org

by Dan Poltawski - Monday, November 23, 2015, 5:29 PM

Hi Cathal,

Though I wasn't involved in deciding to use Cloudfare on Moodle.org, I do know a little bit about our use of it here and have dealt with some problems relating to it.

In response to your request for us to write up our experiences - I'd say you are over-estimating the interesting things we have to say about it. My brief comments would be:

Moodle.org, as a public site used worldwide can benefit from the cloudflare CDN to lower latency to various places around the world and offload some requests. We are not using complex configuration to achieve this, Moodle comes out the box with cacheable resources served with the correct headers so cloudflare does this like any reverse proxy would.
In general, the various 'security features' have tended not to protect against spam onslaughts and created many false positives. My sense is that it particularly negatively impacts our users from the developing world so we usually have the security level turned off
I do not think you can really draw from experiences of moodle.org for other Moodle sites. Moodle.org is a bit of an unusual case (lots of non-logged in use which is not really a good fit for an LMS).

cheers,

Dan

Average of ratings:Useful (2)

Re: Cloudflare configuration on Moodle.org

by Matt Spurrier - Tuesday, November 24, 2015, 9:17 AM

Hi Cathal,

Moodle.org uses CloudFlare to primarily provide CDN and DDoS mitigation services,

As security is only as strong as it's weakest link, I'd prefer not to disclose in detail the functions we use on the CloudFlare nor our hosting environments.

I will, however, note that CF does save us a considerable amount of bandwidth in normal HTTP requests alone (last month saving ~ 2.8TB).

Like in real life, in the world of technology, there's really no such thing as bullet-proof, just resistant.

There certainly are some pitfalls to using CF, such as dependence on their infrastructure being available, having no control during upstream outages, and Caching can cause a problem at times.

Caching issues in particular can generally be worked around by sending the right headers, however some times you just need to clear the cache manually - so with this I'd advise only setting standard level caching, with a lower browser cache, and rely on the headers being sent from your hosting environment.

Utilise tools like mod_remoteip to fix the incoming IP addresses on your local instance, restrict access to the CF IP's as required, ensure SSL is not offloaded at the CF end.

Hope that helps,

Kind Regards,

Matt
ICT Manager
Moodle HQ

Average of ratings: -

Hardware and performance

Cloudflare configuration on Moodle.org