A Firewall in the Cloud?
Have you ever needed a service that will accelerate, optimize and protect your website? And all that for free?
The next morning, while I was drinking my hot coffee and reading news, one particular article got my attention. Being curious to find what was all about, I followed the link and something else got my attention this time. It was a heavy themed site, but the page loaded almost instantly. I was very sure I did not visit this website before, so it could not be my browser cache (and yes, I did shift-reload the page) that allows the website to load faster.
Using a browser extension to analyze webserver response headers, I managed to extract the most important piece of the puzzle:
I heard about Nginx before, but what was that “cloudflare” thing? Therefore, I typed it in the browser and a nicely stylized sun flare coming over an orange cloud welcomed me.
CloudFlare or a firewall in the cloud, as they like to call it.
CloudFlare is not just a simple CDN. It’s a service designed to optimize the delivery of your web pages to your visitors in order to get the fastest page load times and best performance available. In addition, it will act as a firewall blocking threats, abusive bots and crawlers from wasting your bandwidth and server resources.
There are three plans (free, pro and enterprise) available for you. I chose free plan as it provides far more tools than I really needed.
The setup was very easy, involving just changing my authoritative DNS servers and select which website I want CloudFlare to accelerate and protect. You do not need to change your current hosting provider or registrar.
I went to Godady (my domain is registered there) and changed my DNS servers to point to CloudFlare servers. Just like every time, when you alter your DNS servers, you have to wait few hours in order for changes to propagate.
If you plan to change DNS servers, I recommend setting TTL (Time to Live) for your domain as low as possible one day before.
For most of us, the default CloudFlare settings are just fine, but I would like to point few things out:
How CloudFlare can protect me?
Basic Security Level
This security level is NOT your bulletproof web firewall, but rather an additional layer of security added to your website. Every time when a request to your website comes from an IP address known in their cloud network as threat, it will challenge the visitor with a CAPTCHA based page. You can customize the challenge page to match your website theme. This is how the challenge page looks like. In the report tab, you can see all these challenges. Based on this knowledge, you have the option to block or trust those threats in the future.
Filtering IP addresses is not the only security option included in free plan. They also inspect HTTP request headers for threat signatures.
Automatically scrambling e-mail addresses on your web pages and using server side exclude to hide content like phone or contact address from suspicious visitors are a big plus.
Depending on how many bad boys are targeting your website, you might want to adjust these options.
Before I close the security chapter, I should mention that SSL support is only available for paying customers. To be honest, handling your SSL certificates to any third party might be a security risk.
How CloudFlare can speed up my website?
CloudFlare combine the power of distributed CDN with a clever way to optimize your web pages on the fly. With 13 datacenters scattered around the world, CloudFlare CDN will cache almost all your static content (they do not cache static HTML pages). CloudFlare caches content based on file extensions and NOT on content type.
How do I know if CloudFlare caches my static content?
HIT means that CloudFlare CDN serves the request (saving your bandwidth) and not your webserver.
CloudFlare mostly obeys Cache-Control, so make sure that your webserver is set to response with appropriate Cache-Control directive.
If you need to remove objects stored on CloudFlare CDN, they provide you with one click purge button.
In the Pro plan, they give you the option to pre-fetch your most popular resources and preload them into your visitor’s browser providing a smooth navigation from page to page. In addition, CloudFlare increases the number of requests per second, for maximum performance.
Using CloudFlare CDN on my websites, I see about 50% fewer requests and 52% less bandwidth usage.
Web content optimization is very popular these days, so CloudFlare raises the bar by providing you with two features: Auto Minify and Rocket Loader.
Is there any way to test my website optimized by CloudFlare?
Many specialized websites will help you with that. Here are few of them:
Most of these web speed testers are running in a virtualized environment, using shared resources. The reports might not reflect what your visitors will experience. Take these results with a grain of salt.
Even if your webserver does not support IPv6 protocol, CloudFlare makes your website to be IPv6 ready. There are two modes to deploy IPv6:
- Full (your webserver is accessible on both IPv6 and IPv4 networks)
- Safe (only websites under a domain like ipv6.yourdomain.com will be available for IPv6 visitors).
My ISP does not provide IPv6 right now and this option is very handy for me.
What is wrong with my logs?
CloudFlare is using a reverse-proxy mechanism, meaning that your webserver logs will fill with requests coming only from CloudFlare network and not from real visitors. This can be very frustrating if you rely on server logs or use underneath applications that require the real IP address. However, CloudFlare provides a module for various web servers to preserve the original IP address. Some hosting providers already have this module enabled for you; some are willing to install it for you.
Some people are not aware of one possible side effect that might occur. As the requests will come only from CloudFlare network repeatedly, your hosting provider might throttle your bandwidth or even take your website completely offline thinking you are under some sort of DDOS (distributed denial of service) attack.
Please consult your hosting provider before deploying CloudFlare or any other reverse proxy on your website.
I will not lie to you, CloudFlare solution is really working for me and I am very pleased using it. Sure, it has some disadvantages, but if it is working for me, it can work for you too.
What I like
- Migration and customization are done in a very easy way, mostly involving in turning switches on or off with a single click.
- Customer support is handling very seriously. I had only one issue in the beginning and they responded me in 5 minutes and solved my problem in 10 minutes. I was amazed, as I did not really expect to get such a fast response (if ever) for someone using the free plan.
What I dislike
- The challenge page might display ads.
- You cannot turn off the web firewall completely.
- There is room for improvements on the caching side.
There are many options and apps available on CloudFlare, but I do not use them yet.
I strongly recommend reading CloudFlare privacy page, especially the section regarding how they collect data and what they might do with it.
As a final note, I do not do paid reviews. I wrote this article to share my experience with you in an understandable manner, revealing few key problems that no one will bother to explain.