Cloudflare Reviews

Appboy is going to cancel our Pro CloudFlare account and leave the service. CloudFlare has a great feature set, but their uptime track record has been awful.

I’ve been a big fan of CloudFlare’s since I heard of it: I was in the audience at TechCrunch Disrupt NYC 2011 where CloudFlare presented. I was so impressed that I immediately pulled out my laptop and moved all my personal websites to CloudFlare. My first Tweet ever was about how cool CloudFlare is.

I put Appboy on CloudFlare as soon as we brought our first servers online. Since then, my professional experience with CloudFlare has been suboptimal. The first major interruption was in early November. SSL randomly stopped working, which broke server-client communication in our iOS SDK product. When I logged in to troubleshoot, I couldn’t find the SSL settings page. In a frenzy, I thought that my account had been accidentally downgraded from Pro and that SSL options were no longer available. I sent in a support ticket, received a response that it was a known issue, and that I should disable the CloudFlare proxy in the meantime. The SSL options were quietly removed as part of the upgrade; seemingly no one was told. I repeatedly emailed in every few hours asking for status reports but never got a response. It was a serious issue for us. Fortunately, in November we were in limited testing on our production environment, but had it been live it would’ve caused a massive amount of damage to us. After submitting two tickets for someone to contact me, Michelle Zatlyn, a CloudFlare co-founder, gave me a call. I suggested things like proactive notifications about major maintenance, and was happy she listened, but I feel like nothing has changed since.

The last few weeks, it has seemed as if CloudFlare was being attacked constantly, taking our site down in the crossfire. I was home for the holidays having dinner when our monitors hit for 502s and SSL problems. 502 hit again in January due to attacks in Newark. Over the past few months, dozens of 502 errors have tripped up my monitors, woken me up overnight, and broken our site for some of our customers. Numerous support tickets led to no progress. I ended up ignoring 502 errors in our functional monitoring scripts. We get over 100,000 unique visitors a month. Downtime has major visibility for us.

The last two weeks have been exceptionally problematic. One of our customers emailed us that random links on our site was broken. The links made AJAX requests which were not returning. Sure enough, everyone in the office could reproduce. I sent in a support ticket. The one-line response: “Thanks for writing in. This is a known issue that we’re trying to tackle this week. Sorry for the inconvenience!” That was it. No additional info. Was it just with AJAX? Should I turn off the CloudFlare proxy on other sites? Should I look to @cloudflaresys for updates? The worst part was that CloudFlare didn’t notify me about the known issue! It wasn’t on the status page, I couldn’t find it on Twitter. I had to find out from one of our customers. Later, the support associate agreed that “[CloudFlare's] notification of what’s working and what’s not is a bit… lacking” and said that he’d notify me when he got an update. I have not received any further updates.

Last night was also really bad. CloudFlare released a new version of its DNS software and accidentally deleted their master database of domain records, which broke name resolution for all of Appboy’s servers. I couldn’t go to the main website, our client-server communication broke, my app servers couldn’t talk to the databases because they couldn’t resolve the hosts, etc. We were completely down due to a bad software release that was, again, completely unannounced.

Whenever there have been issues, the CloudFlare engineers have jumped to resolve it. And resolution time is usually fast. But that 100% of my site downtime the last 2 months has been caused by CloudFlare is unacceptable. Even if CloudFlare fixes the problems quickly, they’re breaking too many things too frequently.

Everyone here at Appboy thinks that CloudFlare is a great product. We want to use CloudFlare, but right now can’t take on the risk.

Do you have any suggestions for DNS service providers? Let us know what you use or recommend.

CloudFlare is an incredibly advanced content delivery network (CDN) that offers boosts to the security and performance of your site. They act as a reverse proxy and shield your web server from exposure to the wider Internet. You get huge bandwidth savings and a reduction in the resources consumed on your server, so why have I just decided to 'go it alone'?

Introduction

CloudFlare launched their beta in June 2010 and very soon after they followed with their official launch in September of the same year. Their free accounts come with many of the great features they offer and their blog makes for some really interesting reading. This all sounds like a match made in heaven but I recently found myself faced with the tough decision of leaving CloudFlare and losing their support. This meant having my domain name resolve directly to the IP of my server. Whilst that may sound like a totally normal prospect for most, after you've enjoyed the protection and security of having someone act as your doorman, it's a slightly daunting prospect. Not only would I lose their security, but I'd also be subjecting my server to the full force of any traffic aimed at my domain name.

A Brief Overview

Because CloudFlare act as a reverse proxy, a user's browser connects to the CloudFlare servers which then request the content from the host server on behalf of the user. This puts CloudFlare directly between you and your visitors, allowing them to cache content and protect your server by not allowing users to connect directly to it. This is fine when the site is loading over http but when you want to start loading over https, it brings up a few problems. There isn't really a requirement as such for me to serve content over https, I don't have user logins and the site doesn't serve sensitive or confidential data. For me, it was mainly about the learning process and showing that it can be done for free. If you head over to StartSSL and pick up one of their free SSL/TLS certificates, it will bear your domain name. This immediately presents a problem when the browser is not connecting to your server when a user enters that domain name into the address bar. Now, CloudFlare offer different solutions to this problem depending on which type of account you have. Their free accounts do not support any form of SSL, you have to step up to at least a Pro account ($20 a month) to get SSL support. At the Pro level, the account I used to have, you can enable SSL support and take advantage of the benefits of CloudFlare but serve over https instead.

Flexible SSL

Once you're on a paid account plan, you can enable SSL on your site with a single click thanks to CloudFlare's Flexible SSL. The CloudFlare servers present their own SSL certificate to the user so that the transfer of information between them is encrypted. From here, as the data travels from CloudFlare to the hosting server, you can use your standard SSL certificate issued by a CA, a self signed certificate, or, worryingly, nothing.

Once I started investigating the upgrade to a paid plan so that I could get SSL support, I was startled at the prospect of Flexible SSL. Here, we have a solution that seems to break two of the key principles of implementing SSL/TLS. When we visit a site and see https in the address bar, I think it's fair to say there are some assumptions that we could generally make and should be able to make. The SSL certificate assures us that the site we are connected to is the site we typed in the address bar, and that our traffic is encrypted during transmission to that site. Flexible SSL seems to break both of these principles. The certificate that is issued belongs to CloudFlare and not the site you're trying to connect to, and traffic on the other side of CloudFlare between their network and the host site is not encrypted. There is of course the option to move to Full SSL, you can even use a self signed certificate between CloudFlare and the host, but I imagine there are sites out there that don't. The ability to present your site over https when the full route is not encrypted seems to be a breach of the trust that the user places on the indications their browser is giving them. There is the argument that encrypting part of the transport layer is better than encrypting none of it. Anyone between the user and their nearest CloudFlare server, like an attacker on a local network or even their ISP or government, wouldn't be able to access their traffic, but after the CloudFlare server it's back into the wild without any protection. Given that it's really easy to create your own self signed certificate, or you can get a free one from StartSSL, I just can't see the requirement for Flexible SSL. The benefits of encrypting the first leg of the transport layer are far outweighed by the detriment of giving false impressions on securely transmitting data. If you're on a shared hosting plan that would be costly to upgrade to SSL support, or don't know how or can't implement it on your server, Flexible SSL is nothing more than an illusion of security that you're presenting to your visitors.

Full SSL

If you want to ensure that data is always encrypted whilst it's being transported, you need to enable Full SSL, which requires SSL on the host server. As I've mentioned, you don't need to pay for a certificate as you can use a self signed certificate or get one from StartSSL. Once that's installed and you enable Full SSL, CloudFlare will only communicate with the host using a secure transport layer.

Now we're up and running, all traffic will be encrypted during transit. Problem solved, right? Well, even though I was using Full SSL, I still had my concerns. Whilst CloudFlare are a trusted party in all of this, I didn't feel comfortable with the idea of having a man in the middle of my secure transport layer. That, and the certificate being issued to the browser still carried someone else's name. For most users, when you connect to a site and see https in the address bar, I think it's fair to say there would be an expectation they were talking to me, directly. Not only that, but there is still a point in the transport layer where data isn't encrypted, inside CloudFlare. I think CloudFlare apps are a prime example of this, allowing the ability to inject Google Analytics code into your pages for example. I want to be clear that this isn't a criticism of CloudFlare, the services they offer are fantastic, I just have my reservations when it comes to running your secure transport layer through a third party. For a site that loads over http no one can have a realistic expectation that someone else hasn't seen or altered your traffic during transit. The other problem with this is that CloudFlare never used to validate the certificate between them and the host. It would accept any certificate and go with it.

Full SSL (Strict)

The lack of certificate validation has been recently resolved with a new feature announced by CloudFlare, Full SSL (Strict). This means CloudFlare will now validate the certificate presented by the host server. This came as quite a surprise to me as I was already using a valid certificate so just assumed that it was being validated and accepted by CloudFlare. As it turns out, I could have literally used just about any certificate I'd liked and it would have worked just fine. Not only that, but anyone could MiTM my perfectly valid SSL certificate, swap it out, and CloudFlare would have been just as happy. To me, their blog post should be more along the lines of 'we now do SSL properly' than 'hey we added a new feature'. Connecting to a host securely and then not validating the certificate means that you're not connecting to the host securely. If there was some way to pin a self signed cert in the CloudFlare control panel, this option would be perfectly acceptable, which is what I expected you should have to do if using a self signed certificate. As it turns out, there is no such option. Worryingly, the non-strict version of Full SSL will remain. CloudFlare are going to automatically switch everyone with a valid certificate to Full SSL (Strict), but for those that don't read the CloudFlare blog, I wonder if they will ever find out.

Business And Enterprise Accounts

It is possible to get around the issue of serving your visitors a CloudFlare issued SSL certificate by upgrading to a Business or even Enterprise account. Starting at $200 a month for the Business account, or an average $5,000 a month for Enterprise accounts, you can upload your own certificate and private key to CloudFlare. Whilst your visitors are now being served with your own SSL certificate, I can't see the benefit this brings. The user, much like with the Flexible SSL option, is now under the impression that they're communicating with you directly and securely. Even if they check the certificate, they will see that it is issued to your domain and have no reason to suspect that their traffic isn't travelling directly to the host before being decrypted. To set this up requires the disclosure of your private key, something that in itself should highlight the kind of breach to transport layer security this causes.

The Aftermath

One of my biggest concerns with coming out from behind CloudFlare was the impact it would have on my server. I'm currently using DigitalOcean (referral link) to host my blog and with the ability to rapidly scale the hardware capabilities of my VPS, I cautiously flipped the switch. Within the first hour it was immediately clear just how much of the demand on your resources CloudFlare can alleviate. I saw jumps in traffic at the network interface and CPU utilisation as soon as I hit the button. Whilst none of these increases were enough to cause any worries, it does provide evidence for the claims CloudFlare make about just how much they can save you in resource terms. At almost double the average daily bandwidth usage, I can say that CloudFlare were saving me about 45% of the bandwidth used by traffic hitting my site. This is from both their efforts in caching my content and serving it on my behalf, and traffic that they will have dropped and not allowed through based on it appearing malicious. I'm also seeing average CPU loads approaching double what they were, but still only falling well within the single digit range. As it turns out, my VPS is perfectly capable of handling the regular traffic my blog gets but I am still acutely aware of the greater exposure I now face. That being said, I feel the value of honouring the core principles of SSL/TLS to be worthwhile.

Conclusion

I know I mentioned it earlier, but I wanted to be clear that this isn't a complaint about CloudFlare. I still use CloudFlare to resolve my DNS queries as they run one of the fastest DNS services around. Thanks for that guys! Their free account offers an awful lot of functionality and savings alone, before you get on to the minimal $20 a month for a Pro account which comes with it's own great list of features. If you're hosting a site that serves content over http it's really a no brainer as to whether or not you should make use of a free CloudFlare account. If you're hosting a huge amount of content there's little reason not to use them. My only real problem comes with the introduction of SSL/TLS and the unavoidable requirement to have a man in the middle of your secure connection. If you truly have a requirement for a secure transport layer I have to question the sanity of breaking the chain of custody of your data.

Valuable Features:

Improvements to My Organization:

Use of Solution:

Stability Issues:

Yes, I’m obsessive about Webpage load speed. Only in the past year or so has Website speed become an SEO (Search Engine Optimization) factor however I’ve always spent an inordinate amount of time and energy trying to speed up my Website (as well as find ways to speed up all Websites I build for clients). Until a few short years back, besides using state of the art software and hardware (NGINX, Ubuntu Server, reverse HTTP proxies etc.) in addition to a CDN (Content Delivery Network) such as Amazon Web Services CloudFront, there really wasn’t any simple means of speeding up WordPress Websites.

How times have changed in a few short years! We now have super awesome services such as CloudFlare and the Google PageSpeed Service (PageSpeed service isn’t widely available yet but should be soon). CloudFlare is a freemium service and their free offering is probably much more than most Websites need. As for Google PageSpeed Service, pricing hasn’t been provided as yet and is being used free on an invite only basis at present (thanks Google for the invite you sent me ).

Just over two months ago I started using the PageSpeed service for three of my other Websites. Around the same time I started using CloudFlare Pro (a paid-for service) for this Website, OrganicWeb.com.au. Here are my findings.

Using WordPress on CloudFlare

How the CloudFlare free plan can remain free is quite simply amazing. The benefits, from free use of a leading CDN, free high-performance DNS hosting to security and more is awesome. The majority of users won’t need to upgrade to the Pro plan which has a monthly cost and offers further performance and security enhancements.

I used the Pro plan for a couple of months but I actually moved my Website from CloudFlare to PageSpeed a few weeks back as there were problems when people were leaving comments on Posts (I use the JetPack Plugin to manage commenting). I believe that Blog commenting is important and no matter what configuration I did, I just couldn’t correct the commenting problem when on CloudFlare so moved to PageSpeed (and the commenting problem no longer seems to occur). In fairness to CloudFlare I believe that the problem may well have been with the JetPack Plugin.

Just because my WordPress Site had problems on CloudFlare doesn’t mean that yours will. In fact, I recommend CloudFlare over PageSpeed for users that want a very simple to setup service that works well. CloudFlare have done a great job in making the setup super simple; just install and activate the WordPress CloudFlare Plugin, add necessary data to CloudFlare and your WordPress Site will be secured and delivered by CloudFlare in just a few minutes.

Using WordPress on Google PageSpeed Service

Oh … My … Goodness. Google PageSpeed ROCKS! A little more complicated to setup than CloudFlare but wow is this service great for delivering WordPress content mighty fast. PageSpeed does clever stuff such as convert images, where beneficial, to base64 as well as write CSS and JavaScript inline into the HTML in order to reduce round trip times. Like CloudFlare, once PageSpeed has been setup then it just works.

The Google PageSpeed Service may be a bit too technical for those wanting something very simple to setup. Whilst CloudFlare provides top-class and very fast DNS hosting, Google PageSpeed doesn’t provide this. I prefer having a separate DNS hosting provider and use AWS Route 53 so PageSpeed is preferable for me.

Security versus Speed

The biggest selling point for most people however will likely be the security provided by CloudFlare. I’m really not sure if PageSpeed provides any security and whether the security provided by CloudFlare is any good. Security is often a perception and CloudFlare beats PageSpeed completely where the perception of security matters.

My advise for most people is to use CloudFlare. For more advanced users, and those that are confident managing their own security, the Google PageSpeed Service is the way to go.

What is our primary use case?

What is most valuable?

What needs improvement?

What do I think about the stability of the solution?

What do I think about the scalability of the solution?

How are customer service and support?

How was the initial setup?

What about the implementation team?

What other advice do I have?

Which deployment model are you using for this solution?

I am a paid Cloudflare customer. The service has been wonderful. As in all services, there is a setup that is required and a learning curve.

One of the biggest reasons for me to implement it was to reduce server load. My forums keep growing and to reduce the need to keep upgrading, we tried Cloudflare.

It has reduced my bandwidth and server load immensely. For example, my bandwidth dropped from 45GB/month to 10GB/month. Server hits went from 3.5 million/month to 600 thousand/month.

Cloudflare is setup if the server does not respond timely, then your users will see an error message. This is an indication of a slow server versus a Cloudflare issue.

Who's the culprit- Cloudflare or hosting?

When I have seen the CloudFlare error screen for site is unavailable, it has always been due to slow response on the webserver. (validated by using a series of http responders hitting CloudFlare and the webserver directly over a 60 day period.)

One of the keys is to make sure your hosting provider is using the CloudFlare extension and they have listed all the CloudFlare servers within your firewall settings. All your traffic will come from only a couple of IPs. If your server and firewalls are not setup to support this concept, they will trip DDOS or Flooding rules.

What is most valuable?

What needs improvement?

For how long have I used the solution?

What do I think about the stability of the solution?

What do I think about the scalability of the solution?

How are customer service and technical support?

How was the initial setup?

What other advice do I have?

What is our primary use case?

What is most valuable?

What needs improvement?

For how long have I used the solution?

What do I think about the stability of the solution?

How are customer service and support?

How would you rate customer service and support?

How was the initial setup?

What's my experience with pricing, setup cost, and licensing?

Which other solutions did I evaluate?

What other advice do I have?

Which deployment model are you using for this solution?

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?