Using Cloudflare and Backdrop CMS together

This guide is intended to help people using Cloudflare to speed up and protect their Backdrop CMS sites.

Step #1

Create three Cloudflare PageRules to exclude the Backdrop cron page and the link to run cron as an admin from Cloudflare’s caching and performance features:

• www.example.com/node/*/edit - Cache Level: Bypass
• www.example.com/node/add/* - Cache Level: Bypass
• www.example.com/core/cron.php* - Cache Level: Bypass

Step #2

If you have a valid SSL certificate on your server, you'll need to navigate to the Cloudflare Crypto section and update the SSL setting to `Full (strict)`. Without this setting SSL will be terminated at the Cloudflare edge server, and all traffic on your server will come in through port 80 instead of 443.

Step #3

Visit the Firewall section, and whitelistist IP addresses you expect a lot of traffic from. Some common services you probably want to whitelist include:

* APIs you’re pulling from
* Monitoring services you use to monitor your site
* Security services
* IP addresses you frequently login from

If Cloudflare finds an IP address with a high threat score going to your site, or if you have Cloudflare's Web Application Firewall turned on, you may get challenged, or services you want to access your site may get challenged. Taking the steps to whitelist before there is a problem will prevent issues.

Note: Cloudflare whitelists all known search engine and social media crawlers in our macro list. If you decide to block entire countries, please use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that a good crawler gets challenged).

Step #4

Review basic Cloudflare security settings

If your site is frequently the target of spam attacks or botnet attacks, changing your security level to a higher level will reduce the amount of spam you get on your site. We default all users to a medium setting when they first add the domain to Cloudflare.

If you want your site to have less security and protection from various attacks, then you would want to change your settings to a lower level (please keep in mind this makes your site more vulnerable). If you want your site to have higher security, please keep in mind that you may get more false positives from visitors complaining about a challenge page that they have to pass to enter your site.

Step #5

If you are using services like .htaccess, firewalls or server mods to manage access to your site from visitors, it is vitally important to make sure requests from Cloudflare’s IP ranges are not being blocked or limited in any way. The number one cause of site offline issues is something blocking or restricting requests from Cloudflare IPs, so please take the time to make sure that all of Cloudflare’s IPs are whitelisted on your server and with your hosting provider.

This will prevent false offline messages from appearing on your site to you or visitors.

Credit: This guide was adopted from Cloudflare's documentation for Drupal