If you know the answer to all this, I’d love to hear it, because I can’t figure this out. What’s the real point of CloudFlare?
Fairly recently I was reading Tony Perez’s post about CloudFlare vs Incapsula vs ModSecurity. As regular readers may know, I am frenemies with Mod_Security. I often want to kill it with fire, but I never disable it entirely because it protects my site from hackers. By using Mod_Security I limit my chances of having Bobby Tables kill my site.
Using Mod_Security gives you some protection from simple SQL injections, but also XSS attacks. You can integrate it with things like Project Honeypot. As they put it:
ModSecurity™ is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
And you know what? It really does all that.
So what’s CloudFlare? It’s an intermediary between your site and the world which caches your site, compresses data, and gives people the fastest version of your site. In the event your site is down, they’ll serve cached versions. They even give you a pretty picture.
The first time I heard about this, I arched my eyebrows in surprise and confusion. I’m going to make my site faster by putting more layers between the reader and my content? That means instead of just relying on my server and host to be fast, serve compressed pages, keep the lights on, keep a speedy connection to the Intertubes, and do all the things that needs to happen for the magic pipe between my website and you guys, I’m doing all that and trusting someone new to help me do it better. Interesting, Captain. How are they doing this?
CloudFlare has a few tricks to do this: CDN (content loads faster if it’s stored local to the people visiting the site), content optimization (minimizes and compresses page content), security (protecting you from DDOS and SQL injection), and analytics.
Except when I look at that list I think that I already use mod_pagespeed to minimize and compress my content, mod_security to protect me (also Config Server Firewall for the DDoS stuff), and analytics is done by my server or Google. For me, that means the only thing they’re offering that I don’t have is a CDN. I read up on CloudFlare’s CDN, and they tout not having the weight of 15 years legacy crap. That’s a tricky edge to dance on, since they also don’t have the experience of those 15 years, or the network. In fact, looking at their network map, they have nothing in South America. Guess what the number two location is for people visting my sites? Brazil.
And this, my children, is why you study your stats to understand who is visiting your site, where from, why, and with what browsers. Right away I can see that CloudFlare, while interesting, doesn’t seem to have any benefit for me. If I decide that I want a CDN, it’ll probably cost me around $30 more a month, minimum, for my sites and what they have on them today. Oh but wait, you say, CloudFlare is free?
Yeaaaah. I don’t trust free services very much. A free app, once I download it and put it on my server, I keep. A free service is hosted on someone else’s server, at their whimsy, and is supported as they see fit. Yes, this means I don’t trust Facebook or Twitter. A free service is interesting only in that it lets me try it before I buy it, and for that, I approve of how CloudFlare does it. But the problem is today I went to a website and saw this:
What did I do? I didn’t visit this website. They can brag about the whole 30ms response time all they want, but if I went to a website and hit a barrier like that, I stop because it’s getting in the way of my surfing. That was my initial quandary about CloudFlare after all. How can it provide all these awesome things without getting in the way? And it can’t for everyone. At first I thought it was because I was going through bit.ly and it worried I was a spammer (okay, fair enough), so I tried manually, and it was the same problem. I just went to the page normally now, and it’s been well more than “5 seconds” and the site still hasn’t loaded.
I fundamentally dislike anything that causes my users to do ‘more’ to get to my content. I think that it’s more harmful than a slow site, and it’s more harmful than letting these bad eggs visit my site. The right place to block a naughty person is when they’re doing something naughty. If my IP is a range of DDoS attackers, that’s one thing. You shouldn’t be detecting as the page loads, delaying me almost 30 seconds, and then loading the page. This delay is supposedly for my protection (me the site runner, not the visitor). Okay then, what are they protecting me from?
Part of CloudFlare’s service is something called a Web Application Firewall (WAF), which is fancy-speak for saying their computer looks at what people are coming to your site to do, what data they’re sending, and tries to figure out if they’re nice visitors (which it should let through) or naughty hackers (which it should block).(From WP Shine Cloudflare: Early Reports Question Effectiveness as Website Security Tool)
WAF came up before, with Mod_security. And at this moment, I go to a picture. Here’s what Tony parsed from the data:
He asked on Google+ what we took from that article, and my reply was “That the months I spent mastering mod_security was totally worth it.” If you don’t trust Tony’s numbers, you can read the full report on slideshare for yourself. Tony has the same feelings about Captcha as I do, by the way, though less strongly. I despise it more than I hate hotlinkers, and I hate hotlinking. Captchas are the worst barrier between content and consumer that was ever invented. They don’t work, they’re not accessibility friendly, and they are rarely implemented well. Hotlinking may be theft, but Captchas are shouting “No soup for you!”
Which brings me to my point.
What is CloudFlare doing? In plain english, can someone explain to me how it would benefit me? Ignoring the CDN aspect, the only WAF part I can see benefiting me is that CloudFlare (and Incapsula for that matter) essentially crowdsource the list of people who are ‘bad’ and shouldn’t access my site. Which is cool, and that I certainly like. It’s sort of like a Project Honeypot for baddies (and by the way, that would be a nice feature). Having the world bring in the list of bad people, as well as their patterns, and sharing that back out is a great way to keep everyone up to date quickly and seamlessly.
I really just can’t see why I’d ever want to use CloudFlare. It would certainly be a cheap and easy way to put some possible gain on my site, but in the long run I feel that managing these things myself (or hiring someone to do it) would be a better business solution. It saves me from the dread blackbox spam killer, which means I always know what’s going on. Now I know not everyone is capable of handling all this themselves, but from what I’ve seen, most webhosts already have mod_security running. So lets drop the WAF argument from the table, and we come down to the best thing CloudFlare’s doing is acting as a CDN and compressing content. That’s not good enough for me. At that point, you may as well use Google’s PageSpeed Service
I’m sure there are great reasons for using CloudFlare, but I just can’t see it.
Quick ETA… Talking to a coworker, it occurred to us that I may just not be their audience. I’m too big already and I took care of most of what they do. I can look at this and think “If I just have a small site and I want to speed it up on a shared server where I have no root nothings” then it looks way more reasonable. But I’m not.
Ironically, I had a post in my head about why I like Cloudflare, but it has nothing to do with anything you’ve mentioned.
The main reason I like Cloudflare is because it’s a single place to easily manage my DNS records. That’s it. The interface for adding/changing DNS records on Cloudflare is more straightforward and intuitive than almost any other domain registrar and, as an added bonus, you don’t need to remember that you got this domain from GoDaddy but that domain from Domains.com and your super-cool .ly domain you got on Gandi. Once you put in Cloudflare’s nameservers in all those places, you only need to worry about making DNS changes in one place and it doesn’t matter where the site is hosted or where the domain was registered.
Yeah, it does all that other stuff. And all of that stuff — all of it — can be turned off if you don’t want it. I don’t put too much stock into Cloudflare speeding up my site (though it does do caching) or how good (or bad) it is at the security stuff (I’ve never needed to rely on it for that, but then, I’ve never really had problems). I just like not having to go all over the place to deal with changing my DNS entries and trying to wrap my brain around whether this particular site has “zones” or wtf a DNS “zone” is anyway.
Yeah, as came up with my coworker Chris (!), I may just not be their audience. I’m too big already and I took care of most of what they do. I can look at this and think “If I just have a small site and I want to speed it up on a shared server where I have no root nothings” then it looks way more reasonable. But I’m not. I could see using it for my Dad’s wee site though. Of course I wince at the idea of handing my DNS to other people. And yes, I’m running my own DNS server.
I have to go read up on DNS DDoS though…
Well there’s your problem right there.
You say “problem” and I say “superpowers” 😎
It’s a preference thing, which is probably why I’m not their customer. Even if I look at if from the little guy perspective, though, there is going to be a break point where using these external services isn’t as beneficial as it was when I was a wee piddly.
I use CloudFlare across all of my websites; as Chris said, mostly because of the extremely simple DNS management interface.
The CDN functionality is nice too. I run a Windows software firm, which means a need a server to handle all the update checking and downloading of new versions (for around 3,000,000 users). As the majority of traffic is aimed at two or three specific files, I was able to use CloudFlare’s manual caching rules to always serve those files from their network.
I now save several terabytes of bandwidth each month, plus require an entire server less than before. Not bad for a free service.
You’re using their free service for that? Not paying them at least something for more assurance of uptime, reliability, and support? So what happens to you if they go down?
Well, if they go down; there is no “A new version of X is available. Please update.” message for a little while. Not really a big deal.
How much of your business depends on that?
It’s pretty minimal. If the software can’t connect to the update server, it will just assume it’s the latest version and let the user get on with things. They can hardly miss something they don’t know existed. Once CloudFlare comes back up, update notification will resume as per normal.
Having our apps automatically check for updates isn’t mission critical, it’s just a nice feature to have. Unfortunately with a lot of users, that “nice feature” uses a crapload of server resources. If I can offload it to a free provider, who can keep it running the vast majority of the time – absolutely free, why not?
How timely.
I installed CloudFlare on our site yesterday, for a couple of reasons:
– Last month our site was victim of hackers who have been adding links to V1ag5a and cash advance loans to homepages. I’m hoping that CloudFlare will give me some protection against it.
– Secondly, to protect the site against content scraping. CloudFlare claims to warn Webmasters whenever that’s happening. I’d be livid if I found out that someone copied parts of the content that I so thoughtfully have created.
But now, having read your post, and having seen the screenshot that you’ve posted with the DDoS protection message, I’m starting to question my decision.
To address the second worry first… Content scraping is unavoidable. It’s just going to happen, if you put your content on the web. Even people who put their text in images and flash find their content laboriously typed up by dedicated theives. If you don’t want it scraped, don’t put it online. That’s the only rule of the web.
As for the hackers. It depends on how you were hacked last time. Use only trustworthy plugins and themes, blah blah blah. It’s the same old to-do. The reason I use Mod_security so much is that I get a lot of attacks that are aimed at my SSH logins, and it can track those as well. Given my LAST hack was me being a nimrod and not being secure, I know what to watch out for when people are after me :/
So glad you wrote this and I came across it. I thought I was the only one, give or take a few developers I’ve talked to. The hype over CloudFlare has to do with it being a bandwidth/security/financial boon to big shared hosts that also takes significant responsibility off their plates (or so they’d like to think) that they have never handled well at all.
I’ve tried to use CloudFlare several times since their debut and always ended up shutting it down. Now I have no sites using it after their recent massive outage which definitely had to do with lack of experience. The DNS management is great, and I love the interface, but for all the same reasons you gave — and more — it just isn’t worth it, yet. I’m not sure it ever will be. On small, static sites the performance gain is negligible and the security benefit exists only for poorly managed bulk shared hosting users who have no clue about security. But even those folks are going to find it pretty frustrating to try to use a CMS behind CloudFlare plus any caching and optimization they’re doing with plugins or whatever. Caching an application’s backend interface is generally a bad idea and will frequently cause trouble, but I think you can block a few folders from being cached by CF now, on their free plan.
You can stop one folder from being cached, IIRC. We use it at DreamHost and I have a passing familiarity with it because the aggressive caching with rails hurt a couple customers.