Ask HN: Thoughts on Cloudflare?
I use the free plan of Cloudflare for a personal site and find it useful for the CDN, analytics, SSL and DNS.
One thing that bothers me is the cost of these benefits: all traffic is decrypted at their servers. Is it something to be worried about for the average user? (Data stolen while passing through their servers)
Maybe I am paranoid, but is it a good option for sites that deal with payment data?
2 comments
[ 4.4 ms ] story [ 12.6 ms ] threadTheir core service is DDoS protection, but the reality is that these attacks are rare and usually small. Most people using cloudflare could save money by just running their own Nginx/varnish reverse proxy. Cloudflare for the most part is just an http reverse proxy, and I've heard they just use nginx internally to do it.
I worked at a software/IT consultancy and some of our clients ran controversial political sites. Lots of them. They were surprising never "attacked" with more than a few hundred requests per second. In fact, none of the few hundred sites we ran was ever attacked while I was there. The only ones that went down a lot were wordpress based sites that could only handle like 7 requests per second past the cache. We ran cloudflare on some of these, but only so it wasn't our fault when they inevitable crashed from xmlrpc bots and other primitive garbage.
We have sites of all platforms and types which are in need of caching services for a variety of reasons. We have e-commerce sites wanting to cache anonymous page views to improve conversion rates through improved speeds, through to services wanting to accelerate dynamic content using our Railgun optimiser.
As a reverse proxy, we do offer an incredibly powerful DDOS mitigation service. Over the past few months we have seen a dramatic increase in DDOS attacks - including multiple DDOS attacks which are greater than 400Gbps. Whilst not all sites will face such attacks, we do offer a service for those who are in need of protection (either as a precaution or to mitigate an active attack).
Our WAF can help protect against other such attacks from SQL Injection to XSS and beyond, for example; we have a rule to protect against XML-RPC attacks. We're constantly improving our feature set and adding more; one such product we're particularly excited to reveal is our Traffic Control solution which can help add extra layers of security to APIs and websites.