A Firewall in the Cloud?

Have you ever needed a service that will accelerate, optimize and protect your website? And all that for free?

My story

Few months ago, like you, I was looking for some sort of CDN (Content Delivery Network) that will speed up my website by serving static content like css, javascript, and images from a different server or location close to my visitors. As I did not want to spend lots of money on this solution, I used Google to search information about free CDN. Instantly, a page appeared in my browser, displaying a list with free CDN providers. Most of free CDNs are simple to setup, involving just appending a suffix to your website URL. I was very excited about this, but soon I have found out that my pages are slower than before or even fail to load.

The next morning, while I was drinking my hot coffee and reading news, one particular article got my attention. Being curious to find what was all about, I followed the link and something else got my attention this time. It was a heavy themed site, but the page loaded almost instantly. I was very sure I did not visit this website before, so it could not be my browser cache (and yes, I did shift-reload the page) that allows the website to load faster.

Using a browser extension to analyze webserver response headers, I managed to extract the most important piece of the puzzle:

Server: cloudflare-nginx

I heard about Nginx before, but what was that “cloudflare” thing? Therefore, I typed it in the browser and a nicely stylized sun flare coming over an orange cloud welcomed me.

CloudFlare or a firewall in the cloud, as they like to call it.

CloudFlare is not just a simple CDN. It’s a service designed to optimize the delivery of your web pages to your visitors in order to get the fastest page load times and best performance available. In addition, it will act as a firewall blocking threats, abusive bots and crawlers from wasting your bandwidth and server resources.

There are three plans (free, pro and enterprise) available for you. I chose free plan as it provides far more tools than I really needed.

Initial setup

The setup was very easy, involving just changing my authoritative DNS servers and select which website I want CloudFlare to accelerate and protect. You do not need to change your current hosting provider or registrar.

I went to Godady (my domain is registered there) and changed my DNS servers to point to CloudFlare servers. Just like every time, when you alter your DNS servers, you have to wait few hours in order for changes to propagate.

If you plan to change DNS servers, I recommend setting TTL (Time to Live) for your domain as low as possible one day before.

For most of us, the default CloudFlare settings are just fine, but I would like to point few things out:

How CloudFlare can protect me?

Basic Security Level

This security level is NOT your bulletproof web firewall, but rather an additional layer of security added to your website. Every time when a request to your website comes from an IP address known in their cloud network as threat, it will challenge the visitor with a CAPTCHA based page. You can customize the challenge page to match your website theme. This is how the challenge page looks like. In the report tab, you can see all these challenges. Based on this knowledge, you have the option to block or trust those threats in the future.

Filtering IP addresses is not the only security option included in free plan. They also inspect HTTP request headers for threat signatures.

Automatically scrambling e-mail addresses on your web pages and using server side exclude to hide content like phone or contact address from suspicious visitors are a big plus.

For paying subscribers, there is an advanced security level (Web Application Firewall). This will help you in real time to deal with dangerous attacks like SQL, XSS, javascript injections or other kind of HTTP POST attacks.

Depending on how many bad boys are targeting your website, you might want to adjust these options.

Before I close the security chapter, I should mention that SSL support is only available for paying customers. To be honest, handling your SSL certificates to any third party might be a security risk.

How CloudFlare can speed up my website?

CloudFlare combine the power of distributed CDN with a clever way to optimize your web pages on the fly. With 13 datacenters scattered around the world, CloudFlare CDN will cache almost all your static content (they do not cache static HTML pages). CloudFlare caches content based on file extensions and NOT on content type.

How do I know if CloudFlare caches my static content?

Use a tool or a browser extension that display webserver header response and you should see this line:

CF-Cache-Status: HIT

HIT means that CloudFlare CDN serves the request (saving your bandwidth) and not your webserver.

CloudFlare mostly obeys Cache-Control, so make sure that your webserver is set to response with appropriate Cache-Control directive.

If you need to remove objects stored on CloudFlare CDN, they provide you with one click purge button.

In the Pro plan, they give you the option to pre-fetch your most popular resources and preload them into your visitor’s browser providing a smooth navigation from page to page. In addition, CloudFlare increases the number of requests per second, for maximum performance.

Using CloudFlare CDN on my websites, I see about 50% fewer requests and 52% less bandwidth usage.

Web content optimization is very popular these days, so CloudFlare raises the bar by providing you with two features: Auto Minify and Rocket Loader.

Minifying HTML, JavaScript and CSS for your web pages results in smaller resources to transfer and faster load times. This feature will remove all unnecessary characters from JavaScript and CSS files without changing their functionality – at least in theory.

Asynchronously load your JavaScript resources results in faster page rendering. Rocket Loader can handle both inline and external scripts, while maintaining order of execution.

I highly recommend you to be very cautious using these options or any other third party apps they provide as they might interfere with various JavaScript tools, including Google Adsense.

Is there any way to test my website optimized by CloudFlare?

Many specialized websites will help you with that. Here are few of them:

Most of these web speed testers are running in a virtualized environment, using shared resources. The reports might not reflect what your visitors will experience. Take these results with a grain of salt.

IPv6 support?

Even if your webserver does not support IPv6 protocol, CloudFlare makes your website to be IPv6 ready. There are two modes to deploy IPv6:

My ISP does not provide IPv6 right now and this option is very handy for me.

What is wrong with my logs?

CloudFlare is using a reverse-proxy mechanism, meaning that your webserver logs will fill with requests coming only from CloudFlare network and not from real visitors. This can be very frustrating if you rely on server logs or use underneath applications that require the real IP address. However, CloudFlare provides a module for various web servers to preserve the original IP address. Some hosting providers already have this module enabled for you; some are willing to install it for you.

Some people are not aware of one possible side effect that might occur. As the requests will come only from CloudFlare network repeatedly, your hosting provider might throttle your bandwidth or even take your website completely offline thinking you are under some sort of DDOS (distributed denial of service) attack.

Please consult your hosting provider before deploying CloudFlare or any other reverse proxy on your website.

My conclusion

I will not lie to you, CloudFlare solution is really working for me and I am very pleased using it. Sure, it has some disadvantages, but if it is working for me, it can work for you too.

What I like

What I dislike

There are many options and apps available on CloudFlare, but I do not use them yet.

I strongly recommend reading CloudFlare privacy page, especially the section regarding how they collect data and what they might do with it.

As a final note, I do not do paid reviews. I wrote this article to share my experience with you in an understandable manner, revealing few key problems that no one will bother to explain.

Find Out Who Is Been Calling You

© Copyright RavChat.com 2007-2014

Privacy