Skip to content

February 27, 2012

4

Thoughts on CloudFlare

by e1ven

CloudFlare

Overview

Over the last few weeks, I tested CloudFlare as a low-cost CDN for RoboHash.org.

I did this partly to test the speed, and partly to reduce the bandwidth costs that I was seeing through MaxCDN.

A little background – CloudFlare works by taking over as the primary DNS provider for your domain- In order to use their service, you need to set CloudFlare as your domain’s primary name servers.
This makes some sense, since they can route to various servers on their site as necessary, but creates a bit of a headache-

I offer Robohash in both HTTP and HTTPS versions. In order to serve HTTPS through CloudFlare, you need to be a premium/paid member. That’s fine, and I don’t mind the fee, but you can’t upgrade your account until your DNS already is moved over.

This creates a bit of a headache in that you to commit to fully using CloudFlare before you get a chance to really test it. With most CDNs I’ve used, I can setup an Origin-Pull, and run both concurrently.

Speed

Subjectively, the site did feel faster. I also noticed the number of hits that were hitting my nginx instance were cut down dramatically. Within 2 days, the number of hits reaching my server were cut to 1/7th of what they had been prior.

That makes sense, since the RoboHash.org content is HIGHLY cacheable. In the typical usage, such as a forum or blog, the Robot will be generated for the first user, and then every subsequent load will be from cache.
Pingtimes

Pingdom didn’t report any clear change in the load times.
If anything, the page load times seem far more variable after moving over.

SSL

Enabling SSL support through Cloudflare was spookily simple.
CloudFlare accepts the SSL request to their site, and proxies it back to my origin over normal HTTP.

I didn’t need to give them a copy of my certificate, or give them any additional information.

SSL2

Essentially Off

Security Setting

CloudFlare has a built-in feature which helps to protect your sites against attack- When users who are suspected being a threat (such as infected PCs, Spammers, or would-be hackers), CloudFlare blocks their access to your site.
Optionally, you can allow these users access, if they pass a CAPTCHA.

RoboHash is a pretty simple service, and I want to make it available to as many people as possible.
Since it loads as part of OTHER people’s sites, I don’t want it blocked. I don’t care if they’re actively trying to hack ME, don’t block it. I don’t want users of Robohash to have a degraded experience.

I emailed CloudFlare, and asked that we disable the blocks entirely. They admitted that there are false positives, and there’s no way to fully disable the feature. They suggested the ‘Essentially Off’ functionality, which is supposed to only challenge the worst of the worst.
Running the service for 2 weeks gave me over 30 blocked IPs, most for being part of a botnet.

Botnet

I’m not at all comfortable with the number of blocks they were performing.
Further, CloudFlare sets a cookie on every request.

I don’t want this, and it’s not fair to downstream users of RH.org

threepwood:~ e1ven$ curl -I http://robohash.org/ABCD.png
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Mon, 27 Feb 2012 20:15:10 GMT
Content-Type: image/png
Connection: keep-alive
Expires: Tue, 26 Feb 2013 20:15:10 GMT
Cache-Control: public, max-age=31536000
CF-Cache-Status: HIT
Set-Cookie: __cfduid=d9c25dc8324ac644c1ae0f980ae487c311330373710; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.robohash.org

versus the native request

threepwood:~ e1ven$ curl -I https://robohash.org/ABCD.png
HTTP/1.1 200 OK
Server: nginx/1.0.2
Date: Mon, 27 Feb 2012 20:16:43 GMT
Content-Type: image/png
Connection: keep-alive
Expires: Wed, 29 Feb 2012 20:16:43 GMT
Cache-Control: max-age=172800

As an additional point of comparison, here is the result from MaxCDN, another CDN who I’ve had good luck with.

threepwood:~ e1ven$ curl -I http://static1.robohash.org/ABCD.png
HTTP/1.1 200 OK
Server: nginx/0.8.36
Date: Mon, 27 Feb 2012 20:34:32 GMT
Content-Type: image/png
Connection: keep-alive
Expires: Wed, 29 Feb 2012 20:21:28 GMT
Cache-Control: public, max-age=172800
CF-Cache-Status: HIT
X-Cache: HIT

Missing Images

MissingRobo

Finally, however, I started seeing an increasing number of missing images.
Every so often, maybe one in 20 page loads, I’d see a Robot not just appear at all.

That’s simply unacceptable.

Summary

Ultimately, I’ve removed CloudFlare from the DNS for Robohash.
I apologize for any inconvenience caused while I was using it.
I like the idea behind their service, and I can see how it might be useful for a large number of sites, but their offerings are tremendously invasive, give you limited control over disabling their ‘features’.

It’s a good deal if you’re looking to help protect your blog from the slashdot-effect, particularly as a solution that semi-technical users can implement. If you have the patience to learn, it seems like in most cases you’d be better off with a caching Nginx server, potentially combined with a cheap standalone CDN.

You’ll get better performance, more control, and fewer surprises.

Advertisements
Read more from Uncategorized
4 Comments Post a comment
  1. Feb 27 2012

    Hi,

    Thanks for the comments/review. Some quick notes:

    “I’m not at all comfortable with the number of blocks they were performing.”
    You can actually adjust your security level in your settings to a lower level. I do think that it is important to address why visitors get challenged in the first place, which is explained here: http://www.cloudflare.com/wiki/DataSources

    “Further, CloudFlare sets a cookie on every request.”
    Cookies are required for the security features to work properly, such as the challenge page, so I hope that explains why cookies show.

    “Finally, however, I started seeing an increasing number of missing images.
    Every so often, maybe one in 20 page loads, I’d see a Robot not just appear at all. ”
    Did you have any beta features enabled (Rocket Loader, Auto Minify)? Some sliders do break with Rocket Loader enabled, for example, so turning this off generally fixes issues related to that. If not, the image issue could be an issue with you not turning on Development Mode when making changes to static content on your site.

    “give you limited control over disabling their ‘features’. ”
    Curious as to this comment… Pretty much any feature can be turned off or modified in a matter of seconds in your settings.

    Reply
    • e1ven
      Feb 27 2012

      Hi, Damon, thanks for replying!

      As I mentioned in the post, I’m sure that CloudFlare is a good solution for some people.
      If you have specific changes that you’d recommend, I’d be happy to take a look.

      Since you seem to work for CloudFlare, you’re welcome to take a look at my settings.

      Performance


      Is there an option to disable blocking users?
      I never want to give a CAPTCHA.

      I’ve read your DataSources page, and I understand where you’re coming from, but those aren’t the same tradeoffs I want to make.
      I’d rather you send the users to the site, even if they’obviously and deliberately abusive.
      If they’re sending more load than you can handle, go ahead and send them directly upstream.

      Ultimately, what it comes down to, is that you are making certain tradeoffs that I don’t agree with.
      As a customer, I’d want the ability to disable those features.
      As a business, you think it’s in your best interest to not allow me to.

      That’s understandable, but it means that I’ll just go elsewhere.

      It’s the same issue with the cookies.
      You say they’re necessary for the CAPTCHA. I find them disruptive, and harmful to the users of my site.
      I don’t really care that you think it’s a good idea.
      If my site is setting cookies on images, it reflects on me. Regardless of your thoughts on the matter, I don’t want them, and you don’t seem to provide a way to disable them.

      As you can see from my profile and screenshots, I don’t have any beta features enabled.
      I do have Website preloader enabled; It’s not marked as Beta.

      I suppose if the feature doesn’t work reliably, I could have disabled that.

      “give you limited control over disabling their ‘features’. ”
      Curious as to this comment… Pretty much any feature can be turned off or modified in a matter of seconds in your settings.

      Please show me the button to stop blocking any users.
      Please show me the button to not send cookies.
      Please show me the button to never send a captcha.

      Again, I’m sure it’s a great solution for a certain audience, but it doesn’t seem like you provide any features to opt-out of the invasiveness.
      When you combine that with seeing Image failures, I can’t really recommend CloudFlare to anyone who has the knowledge to do better.
      Thanks!

      Reply
      • Feb 27 2012

        “Is there an option to disable blocking users?”
        The closest option is your changing your Basic Security Level to “Essentially Off” in your CloudFlare settings (this only blocks the worst of the worst). You also have the option of whitelisting IPs, IP ranges & countries in your Threat Control Panel.

        “Please show me the button to not send cookies.”
        Not possible at this time, unfortunately (explained the reason why).

        “When you combine that with seeing Image failures, ”
        I don’t see that you currently have any beta features enabled that should create this behavior. Did you change those images recently? If so, did you go to Development Mode first or Purge your cache? Are you serving those images through a CDN subdomain?

  2. e1ven
    Feb 27 2012

    @Damon- It’s already set to “Essentially Off”. See my post. Or the image I attached 😉
    You say it’s only the worst of the worst, but it’s still higher than I’m comfortable with.

    I understand why you’re saying you’re sending cookies, but I hope you understand why that’s unacceptable to me.
    Again, I know you guys are trying to run a business, but for some customers, those tradeoffs aren’t worth it.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: