XF Surge Guard 1.0.4

XF Surge Guard reduces wasted XenForo load from unauthenticated guest and bot request patterns before they keep consuming PHP, MySQL, and XenForo resources.

It is built for a specific problem:

A guest, bot, crawler, scanner, or broken link repeatedly hits dynamic XenForo URLs that produce missing routes, 404s, permission failures, or other low-value responses. XenForo still has to boot, route, dispatch, query, and render a response for traffic that has already proven to be wasteful.

XF Surge Guard watches eligible unauthenticated requests and, in Guard mode, temporarily exports high-confidence waste patterns to a lightweight early bootstrap guard.

On later matching requests, the guard can answer before XenForo fully boots.

That means less wasted work for XenForo, PHP, and MySQL.


XF Surge Guard observes eligible unauthenticated GET/HEAD requests and detects guest traffic waste such as:

• Soft 404 guest requests
• Missing dynamic XenForo paths
• Invalid route requests
• Failure-heavy guest traffic bursts
• Repeated bad-path requests
• Scanner-style probes and broken external links
• High-confidence request patterns that are safe to temporarily short-circuit

When a pattern qualifies, the add-on exports a short-lived rule to a lightweight early bootstrap guard loaded from XenForo’s src/config.php.

On later matching requests, the guard can return a tiny early response before XenForo performs expensive routing, controller dispatch, template rendering, session work, or database-heavy operations.


A guest requests:

Code:
/some-bad-url

XenForo boots normally and confirms the request is wasteful, such as a 404.

XF Surge Guard records the outcome.

If Guard mode is enabled, that guest request pattern can be temporarily managed.

The next matching guest request can then be answered early, before XenForo fully boots.

That means XenForo does not keep spending full application resources on the same disposable request pattern.

• Disabled - no observation and no early enforcement.
• Observe - records and analyses eligible guest waste patterns, but does not answer anything early.
• Guard - enables short-lived early protection for currently managed waste patterns.

Observe mode is useful when you want to see what XF Surge Guard would manage before enabling early protection.

Guard mode is where qualifying patterns can be temporarily answered before XenForo fully boots.





XF Surge Guard includes a practical Admin CP dashboard showing:

• Current mode
• Whether the state file is valid
• Whether effective early guarding is active
• Number of exported rules
• Bootstrap status
• Config writability
• Currently managed rules
• Why each rule was managed
• Request count, failure count, client count, score, and expiry time
• Manual release controls for managed rules
• Recent observed hits
• Recent guard events

The dashboard is intentionally diagnostic rather than bloated.

It shows what is being managed, why it was managed, when it expires, and whether the early bootstrap guard is healthy.


Managed rules are temporary path patterns exported for early bootstrap protection.

Each rule includes:

• The managed path
• The reason it qualified
• Request and failure counts
• Approximate client count
• Score
• Expiry time
• A manual release action

Rules are not permanent blocks.

They are short-lived protection entries designed to reduce repeated or high-confidence guest request waste during the period where that pattern is useful to guard.


XF Surge Guard keeps bounded local diagnostic logs for recent observed hits and recent guard events.

These are not intended to be a full traffic analytics system.

They are there so you can confirm what the add-on is seeing, what it is managing, and whether Guard mode is behaving as expected.

Early-blocked requests are intentionally not logged per-hit by XenForo, because the point is to avoid booting XenForo for those requests.


This add-on is deliberately cautious.

It uses:

• Short automatic TTLs
• Hard caps on exported guard rules
• Fail-open behaviour
• Safety exclusions for sensitive paths
• Manual release controls
• Bounded local diagnostics
• Privacy-conscious approximate client keys

Default safety exclusions include areas such as:

• Admin
• Install and upgrade
• Login, logout, register, and account paths
• API paths
• Payment paths
• Callback paths
• Webhook-style paths

Requests that look like they belong to logged-in XenForo users are allowed through to XenForo normally.


Many forums receive constant low-value guest traffic.

Common examples include:

• Old or broken attachment URLs
• Missing thread image paths
• Invalid route requests
• Old WordPress scanner paths
• Bot probes
• Broken external links
• Repeated requests for content that no longer exists

Even when these requests only return a 404 or another simple error, XenForo may still need to boot the application, route the request, create a response, and render an error page.

One bad request is not a big deal.

A burst of bad requests is unnecessary load.

XF Surge Guard gives XenForo a lightweight way to say:

“This unauthenticated request pattern has already proven to be low-value waste. Do not spend full XenForo resources on it again right now.”


XF Surge Guard is not:

• A DDoS protection service
• A Cloudflare replacement
• A web application firewall
• An AI bot detector
• A scraper fingerprinting system
• A country or ASN blocker
• A static page cache
• A user-agent blacklist

It does not try to identify every bad actor on the internet.

It does not replace proper network-level protection.

It focuses on a narrower and more practical job:

Reduce wasted dynamic guest-request work before it keeps consuming XenForo, PHP, and MySQL resources.

• XenForo 2.1.0+
• PHP 7.2+
• Writable internal_data
• Writable src/config.php during installation, or manual insertion of the bootstrap block if automatic insertion is not possible

XF Surge Guard uses a small bootstrap include from XenForo’s src/config.php so it can act before XenForo fully boots.

If src/config.php is writable during installation, the add-on can insert the bootstrap block automatically.

If it is not writable, the dashboard will indicate the bootstrap status and the block can be inserted manually.