Thoughts on CloudFlare
I did this partly to test the speed, and partly to reduce the bandwidth costs that I was seeing through MaxCDN.
A little background – CloudFlare works by taking over as the primary DNS provider for your domain- In order to use their service, you need to set CloudFlare as your domain’s primary name servers.
This makes some sense, since they can route to various servers on their site as necessary, but creates a bit of a headache-
I offer Robohash in both HTTP and HTTPS versions. In order to serve HTTPS through CloudFlare, you need to be a premium/paid member. That’s fine, and I don’t mind the fee, but you can’t upgrade your account until your DNS already is moved over.
This creates a bit of a headache in that you to commit to fully using CloudFlare before you get a chance to really test it. With most CDNs I’ve used, I can setup an Origin-Pull, and run both concurrently.
Subjectively, the site did feel faster. I also noticed the number of hits that were hitting my nginx instance were cut down dramatically. Within 2 days, the number of hits reaching my server were cut to 1/7th of what they had been prior.
That makes sense, since the RoboHash.org content is HIGHLY cacheable. In the typical usage, such as a forum or blog, the Robot will be generated for the first user, and then every subsequent load will be from cache.
Pingdom didn’t report any clear change in the load times.
If anything, the page load times seem far more variable after moving over.
Enabling SSL support through Cloudflare was spookily simple.
CloudFlare accepts the SSL request to their site, and proxies it back to my origin over normal HTTP.
I didn’t need to give them a copy of my certificate, or give them any additional information.
CloudFlare has a built-in feature which helps to protect your sites against attack- When users who are suspected being a threat (such as infected PCs, Spammers, or would-be hackers), CloudFlare blocks their access to your site.
Optionally, you can allow these users access, if they pass a CAPTCHA.
RoboHash is a pretty simple service, and I want to make it available to as many people as possible.
Since it loads as part of OTHER people’s sites, I don’t want it blocked. I don’t care if they’re actively trying to hack ME, don’t block it. I don’t want users of Robohash to have a degraded experience.
I emailed CloudFlare, and asked that we disable the blocks entirely. They admitted that there are false positives, and there’s no way to fully disable the feature. They suggested the ‘Essentially Off’ functionality, which is supposed to only challenge the worst of the worst.
Running the service for 2 weeks gave me over 30 blocked IPs, most for being part of a botnet.
I’m not at all comfortable with the number of blocks they were performing.
Further, CloudFlare sets a cookie on every request.
I don’t want this, and it’s not fair to downstream users of RH.org
threepwood:~ e1ven$ curl -I http://robohash.org/ABCD.png HTTP/1.1 200 OK Server: cloudflare-nginx Date: Mon, 27 Feb 2012 20:15:10 GMT Content-Type: image/png Connection: keep-alive Expires: Tue, 26 Feb 2013 20:15:10 GMT Cache-Control: public, max-age=31536000 CF-Cache-Status: HIT Set-Cookie: __cfduid=d9c25dc8324ac644c1ae0f980ae487c311330373710; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.robohash.org
versus the native request
threepwood:~ e1ven$ curl -I https://robohash.org/ABCD.png HTTP/1.1 200 OK Server: nginx/1.0.2 Date: Mon, 27 Feb 2012 20:16:43 GMT Content-Type: image/png Connection: keep-alive Expires: Wed, 29 Feb 2012 20:16:43 GMT Cache-Control: max-age=172800
As an additional point of comparison, here is the result from MaxCDN, another CDN who I’ve had good luck with.
threepwood:~ e1ven$ curl -I http://static1.robohash.org/ABCD.png HTTP/1.1 200 OK Server: nginx/0.8.36 Date: Mon, 27 Feb 2012 20:34:32 GMT Content-Type: image/png Connection: keep-alive Expires: Wed, 29 Feb 2012 20:21:28 GMT Cache-Control: public, max-age=172800 CF-Cache-Status: HIT X-Cache: HIT
Finally, however, I started seeing an increasing number of missing images.
Every so often, maybe one in 20 page loads, I’d see a Robot not just appear at all.
That’s simply unacceptable.
Ultimately, I’ve removed CloudFlare from the DNS for Robohash.
I apologize for any inconvenience caused while I was using it.
I like the idea behind their service, and I can see how it might be useful for a large number of sites, but their offerings are tremendously invasive, give you limited control over disabling their ‘features’.
It’s a good deal if you’re looking to help protect your blog from the slashdot-effect, particularly as a solution that semi-technical users can implement. If you have the patience to learn, it seems like in most cases you’d be better off with a caching Nginx server, potentially combined with a cheap standalone CDN.
You’ll get better performance, more control, and fewer surprises.