What does it do? 

This extension ensures your TYPO3 website is running optimally on the Cloudflare platform. With it, you receive:

• Correct IP address information for visitors
• Better protection against common vectors of attacks

Things you need to know:

• The main purpose of this extension is to ensure you have no change to your originating IPs when using Cloudflare. Since Cloudflare acts as a reverse proxy, connecting IPs now come from Cloudflare's range. This extension will ensure you can continue to see the originating IP ^[#].
• In addition, this extension lets you benefit from Cloudflare's caching mechanism transparently and will automatically flush the cache for you, when it is needed.
• This extension lets you manage multiple domains on Cloudflare, just as TYPO3 does, and lets you easily toggle "Development Mode" from TYPO3 Backend whenever Cloudflare's optimizations should be temporarily bypassed.

Finally, it provides a handy dashboard as a Backend module featuring some analytics.

What is Cloudflare? 

Cloudflare protects and accelerates any website online. Once your website is a part of the Cloudflare community, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: Cloudflare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

Cloudflare's system gets faster and smarter as their community of users grows larger. They have designed the system to scale with their goal in mind: helping power and protect the entire Internet.

Cloudflare can be used by anyone with a website and their own domain, regardless of your choice in platform. From start to finish, setup takes most website owners less than 5 minutes. Adding your website requires only a simple change to your domain's DNS settings. There is no hardware or software to install or maintain and you do not need to change any of your site's existing code. If you are ever unhappy you can turn Cloudflare off as easily as you turned it on. Their core service is free and they offer enhanced services for websites who need extra features like real time reporting or advanced SSL protection.

Read more on: https://www.cloudflare.com/.

Step 1 

Install the Cloudflare TYPO3 extension to restore visitor IP. Since Cloudflare acts as a proxy for sites, Cloudflare's IPs are going to show in your logs, unless you install something to restore the original visitor IP.

This extension can be installed through the typical TYPO3 installation process using the Extension Manager or using composer, if you prefer.

Step 2 

Review your basic security settings.

If you have a site that is frequently the target of spam or botnet attacks, changing your security level to a higher setting will help further reduce the amount of spam you get on your site. Cloudflare defaults all users to a medium setting when you first add the domain to Cloudflare.

Why do this? If you want your site to have less security and protection from various attacks, then you would want to change your setting to a lower level (please keep in mind this makes your site more vulnerable). If you want your site to have higher security, please keep in mind that you may get more false positives from visitors complaining about a challenge page that they have to pass to enter your site.

Step 3 

To do so, create a Page Rule to exclude the typo3 sections from Cloudflare's caching and performance features. You can access Page Rules in your Cloudflare dashboard.

URL pattern: www.example.com/typo3/*
Performance: off

Category Basic 

• Use Bearer Authentication (recommended) : Enables RFC 6750 Bearer Authentication. With this setting enabled, Email is no longer a required field (see below for configuration).
• Email : The e-mail address associated with the API key.
• API Key : This is the API key made available on your account page (https://www.cloudflare.com/a/account/my-account)
• Domains : Once the API key and the email are successfully saved (be sure to click on "Save cloudflare configuration" button first and possibly reload the extension configuration modal dialog), a list of domains (or zones in Cloudflare's terminology) handled by the corresponding account is rendered. Just tick the corresponding check boxes to instruct TYPO3 which domains should get their cache flushed when clearing all caches in TYPO3 Backend.
• Enable Analytics Backend module : Shows the Analytics module in Backend (under "Cloudflare" dedicated section).

Category Advanced 

• Purge individual files by URL: This checkbox allows you to purge individual files on Cloudflare's cache using an URL.

• Purge cache by Cache-Tag: This checkbox allows you to purge individual files on Cloudflare's cache using the associated Cache-Tag. Beware: This option requires an Enterprise account.

  Note

  In addition you will need to create a page rule asking to cache everything because HTML content is not cached by default.

• Originating IPs : This checkbox allows you to restore the originating IPs.

You should consider restoring originating IPs at the Web Server level instead. If using Nginx, please read https://support.cloudflare.com/hc/en-us/articles/200170706-Does-CloudFlare-have-an-IP-module-for-Nginx- for instructions.

The official list of Cloudflare's reverse-proxy IPs (both IPv4 and IPv6) can be found on https://www.cloudflare.com/ips.

$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'] = '10.0.0.5';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'first';

Allowing Backend users to clear cache on Cloudflare 

You can enable the "flash icon" clear cache command for common Backend users by adding following code to user's and/or user group's TSconfig:

options.clearCache.cloudflare = 1

Configuration of the Bearer Authentication 

• Go to https://dash.cloudflare.com/profile/api-tokens
• Under the section "API Tokens", click the button "Create Token"
• Choose to create a custom token instead of a template

• This extension requires following permissions:

  • Zone / Zone / Read (to be able to select the zone while configuring the extension)
  • Zone / Zone Settings / Edit (to toggle Development mode)
  • Zone / Cache Purge / Purge (for obvious reason)
  • Zone / Analytics / Read (for the Backend module showing statistics)

Naturally you should restrict your token to one or more zones (zone resources).

Full SSL 

As explained full SSL means Cloudflare provides its own wildcard certificate for your end-users but still connects using SSL to your server. This is of course the most secured option. The common problem with SSL on your own servers is when having virtual hosts (multiple domains on the same IP).

Year ago I successfully checked if Cloudflare would support SNI (an extension to the TLS protocol that indicates what hostname the client is attempting to connect to at the start of the handshaking process) and self-signed certificates and this is the case.

Read more:

• Nginx configuration
• Apache configuration

How to contribute 

This extension is using the same contribution workflow as for TYPO3 Core, but with GitHub PRs for the review process. Please read more about the workflow in the TYPO3 Contribution Guide.