Using Cloudflare Workers as a Proxy for XenForo

Cloudflare Workers can act as a lightweight HTTP proxy in front of your XenForo site. The XenVn add-on provides a simple integration: outgoing requests from your forum are routed through Workers, thus hiding the origin server IP. Here is a guide explaining why, how, and an example of a ready-to-use Worker.

External connections such as: getting image content (convert external images into attachments), external url information (unfurl url to a rich preview) will go through Worker Proxy and completely hide your server IP.
Connections to important services such as: account connection, payment, captcha check, spam check, etc. will go directly without going through Worker Proxy to ensure stability.

Why use a Cloudflare Worker as a proxy? (pros & cons)
Pros

• Hides origin IP - outbound requests from XenForo will appear to originate from Cloudflare worker endpoints instead of your server, reducing direct exposure of your server IP.
• Simple to deploy - Workers are configured in Cloudflare dashboard; no additional external server required.
• Lightweight and fast at edge - for small request volumes Workers are very responsive and run at Cloudflare edge locations.
• Fine control - you can implement whitelists, logging, custom header handling, or simple request rewriting in the Worker.

Cons / caveats

• Cost for heavy traffic - Cloudflare Workers has a free tier but can incur costs at scale or for high request volume.
• Latency for free endpoints - free / shared worker endpoints can be slower than paid or dedicated proxies.
• Limits & rate limiting - Workers have CPU/time and bandwidth limits; very large files or long-running requests may be problematic.
• Security - if the Worker is misconfigured (no secret key check, or open to anyone), it can be abused to proxy arbitrary requests.
• Bypass list required - you should bypass important domains (things you don’t want proxied) to avoid creating problems with third-party services (see below).

Note: XenForo 2 itself has proxy options/configuration available (and many admins use dedicated, paid proxies). Paid proxies usually give more consistent throughput and predictable billing; free solutions may be slower or have usage limits.

Enabling the feature in XenVn (where to enter settings)
In the XenVn addon settings you’ll find fields for Cloudflare Worker integration. The UI path is:
XenVn Setting → Extra [I]→ [/I]Cloudflare Workers Proxy / Workers Secret Key
There are three fields:

• Cloudflare Workers Proxy - a Workers endpoint URL (e.g. https://your-worker.domain.workers.dev).
• Workers Secret Key - the secret value (proxy_key) that XenVn will send to the Worker with each proxied request.
• Workers Proxy Whitelist - whitelist domains / urls for Workers Proxy.

How to create a Worker and the Secret Key in Cloudflare

1. Create the Worker
   • Log into Cloudflare Dashboard.
   • Go to Build → Compute & AI → Workers & Pages.
   • Create a new Worker by clicking the Create application button and using the sample code provided in XenVn's Worker setup section.
   • Deploy the Worker. You will get a *.workers.dev subdomain (or you can bind a custom domain).
2. Create the Secret proxy_key
   • In the Worker’s settings, open Settings → Variables & Secrets.
   • Add a Secret (Type: text, Variable name: proxy_key).
   • Set its value to a strong random string (this is the secret XenVn settings will use).
3. Copy Worker URL & Secret to XenVn
   • Paste the Worker URL into Cloudflare Workers Proxy in XenVn.
   • Paste the secret into Workers Secret Key in XenVn.

Worker behavior & query format
XenVn will send requests to the Worker in the form:
https://your-worker.workers.dev?url=<target_url>&proxy_key=<secret>

Important domains are bypassed (not proxied) by XenVn to avoid issues: xenforo.com, google.com, cloudflare.com, paypal.com, etc. - those requests will go directly or be excluded depending on the addon logic.

How to test Worker Proxy

• Go to Xenforo Admin → Tools → Test image proxy.
• Paste a link to an external image.
• Click Run test, if the result is successful: ok.
• Go to the Workers & Pages management section on Cloudflare → Select your Worker.
• Go to: Observability.
• You will see the connection log.
• Note: it will update every 2 minutes.

Cloudflare Workers Free Plan Limits
Workers & Pages Functions

• Up to 10ms CPU time per request
• Up to 100,000 per day (UTC+0)

Workers Builds

• 1 concurrent build slot
• Up to 3,000 minutes per month

Workers Logs

• Filter and analyze logs emitted from your Worker
• 200,000 events per day
• 3 day retention

Workers Proxy Domain Whitelist
By default, the following domains will not go through the Worker (bypass). These are important, reputable domains, and are used for important connections such as: linking accounts, sending mail, processing payments, captcha check, spam check... so we should not proxy them.

xenvn.com
xenforo.com
google.com
googleapis.com
gmail.com
bing.com
yandex.com
recaptcha.net
paypal.com
2checkout.com
stripe.com
microsoft.com
github.com
akismet.com
stopforumspam.com
stopforumspam.org
httpbl.org
projecthoneypot.org
cloudflare.com
textcaptcha.com
keycaptcha.com
hcaptcha.com
facebook.com
tiktok.com
x.com
linkedin.com
office.com
office365.com
microsoftonline.com
yahoo.com
apple.com
xenforo.com
ipqualityscore.com
subfonter.net
workers.dev
giphy.com
twitter.com
telegram.org

You can add other domains yourself if needed in the Workers Proxy Whitelist field.

 

XenVn - All In One Tools for Xenforo 2  2.4.3

[pacman]

I see no option to add the settings in your addon under [E]xtra Options.

 

[xenvn]

@pacman
This is a new feature, will be available in XenVn version 2.4.4