XF Surge Guard reduces wasted XenForo load from unauthenticated guest and bot request patterns before they keep consuming PHP, MySQL, and XenForo resources.
It is built for a specific problem:
A guest, bot, crawler, scanner, or broken link repeatedly hits dynamic XenForo URLs that produce missing routes, 404s, permission failures, or other low-value responses. XenForo still has to boot, route, dispatch, query, and render a response for traffic that has already proven to be wasteful.
XF Surge Guard watches eligible unauthenticated requests and, in Guard mode, temporarily exports high-confidence waste patterns to a lightweight early bootstrap guard.
On later matching requests, the guard can answer before XenForo fully boots.
That means less wasted work for XenForo, PHP, and MySQL.
What it doesXF Surge Guard observes eligible unauthenticated GET/HEAD requests and detects guest traffic waste such as:
Soft 404 guest requests
Missing dynamic XenForo paths
Invalid route requests
Failure-heavy guest traffic bursts
Repeated bad-path requests
Scanner-style probes and broken external links
High-confidence request patterns that are safe to temporarily short-circuit
When a pattern qualifies, the add-on exports a short-lived rule to a lightweight early bootstrap guard loaded from XenForo’s src/config.php.
On later matching requests, the guard can return a tiny early response before XenForo performs expensive routing, controller dispatch, template rendering, session work, or database-heavy operations.
Simple exampleA guest requests:
Code:
/some-bad-url
XenForo boots normally and confirms the request is wasteful, such as a 404.
XF Surge Guard records the outcome.
If Guard mode is enabled, that guest request pattern can be temporarily managed.
The next matching guest request can then be answered early, before XenForo fully boots.
That means XenForo does not keep spending full application resources on the same disposable request pattern.
Operating modes
Disabled - no observation and no early enforcement.
Observe - records and analyses eligible guest waste patterns, but does not answer anything early.
Guard - enables short-lived early protection for currently managed waste patterns.
Observe mode is useful when you want to see what XF Surge Guard would manage before enabling early protection.Guard mode is where qualifying patterns can be temporarily answered before XenForo fully boots.
Admin dashboard
XF Surge Guard includes a practical Admin CP dashboard showing:
Current mode
Whether the state file is valid
Whether effective early guarding is active
Number of exported rules
Bootstrap status
Config writability
Currently managed rules
Why each rule was managed
Request count, failure count, client count, score, and expiry time
Manual release controls for managed rules
Recent observed hits
Recent guard events
The dashboard is intentionally diagnostic rather than bloated.
It shows what is being managed, why it was managed, when it expires, and whether the early bootstrap guard is healthy.
Currently managed rules
Managed rules are temporary path patterns exported for early bootstrap protection.
Each rule includes:
The managed path
The reason it qualified
Request and failure counts
Approximate client count
Score
Expiry time
A manual release action
Rules are not permanent blocks.
They are short-lived protection entries designed to reduce repeated or high-confidence guest request waste during the period where that pattern is useful to guard.
Recent observed hits and guard events
XF Surge Guard keeps bounded local diagnostic logs for recent observed hits and recent guard events.
These are not intended to be a full traffic analytics system.
They are there so you can confirm what the add-on is seeing, what it is managing, and whether Guard mode is behaving as expected.
Early-blocked requests are intentionally not logged per-hit by XenForo, because the point is to avoid booting XenForo for those requests.
Safety-first design
This add-on is deliberately cautious.
It uses:
Short automatic TTLs
Hard caps on exported guard rules
Fail-open behaviour
Safety exclusions for sensitive paths
Manual release controls
Bounded local diagnostics
Privacy-conscious approximate client keys
Default safety exclusions include areas such as:
Admin
Install and upgrade
Login, logout, register, and account paths
API paths
Payment paths
Callback paths
Webhook-style paths
Requests that look like they belong to logged-in XenForo users are allowed through to XenForo normally.
Why this is useful
Many forums receive constant low-value guest traffic.
Common examples include:
Old or broken attachment URLs
Missing thread image paths
Invalid route requests
Old WordPress scanner paths
Bot probes
Broken external links
Repeated requests for content that no longer exists
Even when these requests only return a 404 or another simple error, XenForo may still need to boot the application, route the request, create a response, and render an error page.
One bad request is not a big deal.
A burst of bad requests is unnecessary load.
XF Surge Guard gives XenForo a lightweight way to say:
“This unauthenticated request pattern has already proven to be low-value waste. Do not spend full XenForo resources on it again right now.”
What it is not
XF Surge Guard is not:
A DDoS protection service
A Cloudflare replacement
A web application firewall
An AI bot detector
A scraper fingerprinting system
A country or ASN blocker
A static page cache
A user-agent blacklist
It does not try to identify every bad actor on the internet.
It does not replace proper network-level protection.
It focuses on a narrower and more practical job:
Reduce wasted dynamic guest-request work before it keeps consuming XenForo, PHP, and MySQL resources.
Requirements
XenForo 2.1.0+
PHP 7.2+
Writable internal_data
Writable src/config.php during installation, or manual insertion of the bootstrap block if automatic insertion is not possible
Installation noteXF Surge Guard uses a small bootstrap include from XenForo’s src/config.php so it can act before XenForo fully boots.
If src/config.php is writable during installation, the add-on can insert the bootstrap block automatically.
If it is not writable, the dashboard will indicate the bootstrap status and the block can be inserted manually.
Bấm vào đây để tải về từ Google Drive
It is built for a specific problem:
A guest, bot, crawler, scanner, or broken link repeatedly hits dynamic XenForo URLs that produce missing routes, 404s, permission failures, or other low-value responses. XenForo still has to boot, route, dispatch, query, and render a response for traffic that has already proven to be wasteful.
XF Surge Guard watches eligible unauthenticated requests and, in Guard mode, temporarily exports high-confidence waste patterns to a lightweight early bootstrap guard.
On later matching requests, the guard can answer before XenForo fully boots.
That means less wasted work for XenForo, PHP, and MySQL.
What it doesXF Surge Guard observes eligible unauthenticated GET/HEAD requests and detects guest traffic waste such as:
Soft 404 guest requests
Missing dynamic XenForo paths
Invalid route requests
Failure-heavy guest traffic bursts
Repeated bad-path requests
Scanner-style probes and broken external links
High-confidence request patterns that are safe to temporarily short-circuit
When a pattern qualifies, the add-on exports a short-lived rule to a lightweight early bootstrap guard loaded from XenForo’s src/config.php.
On later matching requests, the guard can return a tiny early response before XenForo performs expensive routing, controller dispatch, template rendering, session work, or database-heavy operations.
Simple exampleA guest requests:
Code:
/some-bad-url
XenForo boots normally and confirms the request is wasteful, such as a 404.
XF Surge Guard records the outcome.
If Guard mode is enabled, that guest request pattern can be temporarily managed.
The next matching guest request can then be answered early, before XenForo fully boots.
That means XenForo does not keep spending full application resources on the same disposable request pattern.
Operating modes
Disabled - no observation and no early enforcement.
Observe - records and analyses eligible guest waste patterns, but does not answer anything early.
Guard - enables short-lived early protection for currently managed waste patterns.
Observe mode is useful when you want to see what XF Surge Guard would manage before enabling early protection.Guard mode is where qualifying patterns can be temporarily answered before XenForo fully boots.
Admin dashboard
XF Surge Guard includes a practical Admin CP dashboard showing:
Current mode
Whether the state file is valid
Whether effective early guarding is active
Number of exported rules
Bootstrap status
Config writability
Currently managed rules
Why each rule was managed
Request count, failure count, client count, score, and expiry time
Manual release controls for managed rules
Recent observed hits
Recent guard events
The dashboard is intentionally diagnostic rather than bloated.
It shows what is being managed, why it was managed, when it expires, and whether the early bootstrap guard is healthy.
Currently managed rules
Managed rules are temporary path patterns exported for early bootstrap protection.
Each rule includes:
The managed path
The reason it qualified
Request and failure counts
Approximate client count
Score
Expiry time
A manual release action
Rules are not permanent blocks.
They are short-lived protection entries designed to reduce repeated or high-confidence guest request waste during the period where that pattern is useful to guard.
Recent observed hits and guard events
XF Surge Guard keeps bounded local diagnostic logs for recent observed hits and recent guard events.
These are not intended to be a full traffic analytics system.
They are there so you can confirm what the add-on is seeing, what it is managing, and whether Guard mode is behaving as expected.
Early-blocked requests are intentionally not logged per-hit by XenForo, because the point is to avoid booting XenForo for those requests.
Safety-first design
This add-on is deliberately cautious.
It uses:
Short automatic TTLs
Hard caps on exported guard rules
Fail-open behaviour
Safety exclusions for sensitive paths
Manual release controls
Bounded local diagnostics
Privacy-conscious approximate client keys
Default safety exclusions include areas such as:
Admin
Install and upgrade
Login, logout, register, and account paths
API paths
Payment paths
Callback paths
Webhook-style paths
Requests that look like they belong to logged-in XenForo users are allowed through to XenForo normally.
Why this is useful
Many forums receive constant low-value guest traffic.
Common examples include:
Old or broken attachment URLs
Missing thread image paths
Invalid route requests
Old WordPress scanner paths
Bot probes
Broken external links
Repeated requests for content that no longer exists
Even when these requests only return a 404 or another simple error, XenForo may still need to boot the application, route the request, create a response, and render an error page.
One bad request is not a big deal.
A burst of bad requests is unnecessary load.
XF Surge Guard gives XenForo a lightweight way to say:
“This unauthenticated request pattern has already proven to be low-value waste. Do not spend full XenForo resources on it again right now.”
What it is not
XF Surge Guard is not:
A DDoS protection service
A Cloudflare replacement
A web application firewall
An AI bot detector
A scraper fingerprinting system
A country or ASN blocker
A static page cache
A user-agent blacklist
It does not try to identify every bad actor on the internet.
It does not replace proper network-level protection.
It focuses on a narrower and more practical job:
Reduce wasted dynamic guest-request work before it keeps consuming XenForo, PHP, and MySQL resources.
Requirements
XenForo 2.1.0+
PHP 7.2+
Writable internal_data
Writable src/config.php during installation, or manual insertion of the bootstrap block if automatic insertion is not possible
Installation noteXF Surge Guard uses a small bootstrap include from XenForo’s src/config.php so it can act before XenForo fully boots.
If src/config.php is writable during installation, the add-on can insert the bootstrap block automatically.
If it is not writable, the dashboard will indicate the bootstrap status and the block can be inserted manually.
Bấm vào đây để tải về từ Google Drive
