Small SaaS banned by Cloudflare after 4 years of being paying customer

730 points by tardis_thad ↗ HN
Hi, small SaaS founder here (tardis.dev) - I've been heavy Cloudflare Workers user (currently 4 billions requests & 1PB of data per month) for about 4 years already and today at 00:00 UTC without any warning my account was restricted, both website and APIs are down or very very slow to respond/time out, customers are angry obviously. I confirmed with support that "hmm, I see that your zone seems like being restricted due to 2.8 Limitation on Serving Non-HTML Content, see that there's high JSON data transfer". - which is bit strange as I'm using workers which have different terms - https://news.ycombinator.com/item?id=20791660 (confirmed by their CTO)...anyways I get it, perhaps I pay too little and should be on enterprise plan already, but when I got approached by Cloudflare sales team I explicitly asked if I can still be on pay as you go/self server model and reply was: "Enterprise wise, that's up to you and you could likely get away with utilising self-serve as you go, but if you did choose to go enterprise (without R2) I might be able to have something approved in the xx/month range."

I would fully understand that I am required to upgrade, but why not sending me an email before shutting down my business completely? I even asked about such scenario on zoom meeting I had with their Sales and they said it will never happen - few weeks forward and here we are...anyways going back to replying to my customers emails regarding service outage.

315 comments

[ 4.9 ms ] story [ 136 ms ] thread
I've asked internally to understand this.
Posts like this make me so angry. Its unacceptable that _paying customers_ need to rely on the lottery of going viral of HN/Twitter to shame companies into providing legitimate customer support!

A moment of silence for the 100s of people who've made posts similar to this but not made it to the front page, and thus had their grievances ignored...

I replied when this has no upvotes and was nowhere near the front page.
That response misses the point by a wide margin.
Not a big surprise given they think HN threads are an acceptable form of customer support for paying customers.
[deleted]
Friendly advice, stop digging and step away from this thread/talk to your PR team. You're not helping yourself or Cloudflare by responding in this way.
You're right. I'm taking all this too personally.
No matter how you took it, I want to say that there are others here who appreciate your presence.
Wow this is the worst take about customer service I have ever seen by a company. You cause huge issues for business with the touch of a button, and when they require help and don’t think the cause was acceptable behavior, they’re whining? Just wow.
I've removed the word "whining" but to be clear I was not talking about the person who posted on HN that they had a problem. I immediately jumped on their problem when I saw it and I've ended up spending almost all morning on it. I took the long threads personally and should not have done.
Those are the people in control of like half the internet traffic in the world.

Let that sink in.

10% globally and 30% of US traffic. Probably. Google has more aggregate users and traffic, and they're also world renowned for not having any customer service short of "blowing up on twitter" or getting lucky here on HN.
It's pretty amazing to me that even after seeing a response from a real human being, people continue to dog pile.

To those continuing to foam at the mouth: what would be the ideal outcome? Cloudflare closing up shop entirely after this? The whole "this shouldn't have happened in the first place" mentality is completely unproductive.

>To those continuing to foam at the mouth: what would be the ideal outcome?

Cloudflare changing their TOS from

>Cloudflare may, with or without notice to you and without liability of any kind, temporarily limit your storage and/or the number of requests you can make or receive using the Developer Platform for any reason (in its sole reasonable discretion), including without limitation

to something that does not allow them to do so on a whim, or with requiring upfront notice.

As the joke goes, "A failure in the outage reporting service can take surprisingly long to notice."

When your customer service is failing to handle a case, how exactly are you gonna catch on without using out-of-band signaling?

It’s an acceptable form of support as long as it’s reliable.
jgrahamc responded directly to the point. Replying before it made the front page means this post didn't need to go viral or win the front page lottery in order to get support, making it a counterexample to the GP.
and I really appreciate it, not trying to blame anyone, I created HN post as desperate attempt to have my service online again, hope you understand.
Dude, I'm not mad at you for reporting it. I'm working internally to figure out why your site was throttled and take appropriate action.
he's constantly thankful for ur help despite 12 hours downtime
Scraping sites can be useful, huh?
HN has an official API, no scraping needed.
Damned if you do, damned if you don't.
I'm always unsure how to read this. One one hand it is nice that there is someone in the company willing to do work which is in the interest of the customer (of sorts). But on the other hand it shows the company is willing to let quality, support, customer care, service and everything else decline but when it comes to public image is prepared to do everything within their power, even (yuck) their job in order for damage control. Now that I'm writing this I know exactly how to read comments like "now that it's in the public eye, we'll do something - maybe".
It doesn't make the problem go away by itself, but I would rather have jgrahamc helping people than not.
[deleted]
I think people see a lot of posts like "I tried to get help with my problem but received no response" and don't think about the selection bias involved. (Of course, if someone gets helped by customer service with no issues, that doesn't tend to come to Hacker News' attention.)

But from their perspective it does feel like these sorts of posts are the only way to get attention on a problem.

[deleted]
Right, I agree it sucks for you, I'm just trying to explain why I think it happens.

(People don't think about incentives either.)

People like jgrahamc are the people who care and are embarrassed their company provides such unreliable service. I just wish the people in charge of these companies felt the same responsibility and embarrassment.
jgrahamc is the CTO of Cloudflare.
I did not know that. That certainly changes things.

I don't know how many people work at Cloudflare, but I'd imagine it's more efficient to have a working customer support system than to have the CTO personally handle every problem.

I agree about the efficiency and wouldn't expect anyone to know that on a thread, off of a handle alone. However, I see it in a more positive light- based on John's other comments in the thread, he's made the time to stay active in communities like this one even as the CTO and followed up with folks internally to understand how an oversight like this could've happened.
I would really like you to clarify your intentions on serving non-HTML content.

I say this slightly nervously as a Cloudflare customer who serves some amount of binary data. One message is "it's ok if you're on a paid plan". Another is "it's not ok at any time". My suspicion is that "it's ok unless we notice you".

If you could come up with consistent understandable messaging that would help a lot. I don't mind paying (stay competitive against AWS and Hetzner and that's all I need) but the uncertainty is not good.

Can you clarify the terms an conditions about Cloudflare R2 please?

On the R2 page https://www.cloudflare.com/products/r2/ we see:

> No more egress charges. You shouldn’t have to pay to access your data. Pay no egress charges for data accessed from R2. Our affordable and consistent pricing means no more surprise bills.

Whereas I think the non-HTML traffic terms still apply to R2. Or do they?

I really curious about how this unfolds, I was planning to migrate from `AWS Lambda` to `Cloudflare Workers` as a paying customer. I'm basicaly an API with lots of JSON.

Why Cloudflare cancel paying Workers customers? Makes no sense to me.

Will you come back and tell us what happened here?
Looking at this with interest as I've multiple projects on cloudflare now and in development.
The lesson here isn't that you can or cannot trust Cloudflare.

You can't trust any vendor. Build your system with redundancies and failovers so no 1 vendor can take your system offline.

[flagged]
No, not at all. Seems like by account was restricted due to https://www.cloudflare.com/en-gb/supplemental-terms/#cloudfl...

2.Cloudflare may, with or without notice to you and without liability of any kind, temporarily limit your storage and/or the number of requests you can make or receive using the Developer Platform for any reason (in its sole reasonable discretion), including without limitation, if processing such requests would put an undue burden on the Cloudflare network, adversely impact the Service, or otherwise threaten the integrity of Cloudflare’s networks.

[flagged]
Problem with blocking Cloudflare traffic as a whole is that you will be blocking Private Relay users too.
> Many ISPs have good solutions that work well without you having to break open your SSL to use the service.

What are they going to do if a botnet with tens of thousands of IPs are hitting your server? Nullroute it to take the load off their network? Somehow figure out what traffic is legitimate and what isn't and just drop a bunch of stuff?

Larger ISPs have systems like the ones Netscout[1] and others offer on their edge connections which can classify such traffic and deal with it. If your systems are co-located in a DC or you have your own DC you have access to these ISPs.

[1] https://www.netscout.com/product/netscout-aed

before cloudflare companies such as verisign would take over all your routing (i think just for the IP range(s) affected) to mitigate DDoS. Although if you're a company that has a /20 of ipv4 and whoever is DDoSing you is doing it for an actual reason (as opposed to bored teens or whatever), they'll figure out you own a huge number of IPs and start nuking them all. Verisign could also handle that. There were others, comodo maybe? Then cloudflare appeared, it was way cheaper for smaller traffic sites, then they had so much bandwidth in so many places they offered CDNs; and those were cheaper than Akamai and whoever the other player was.

I think they got lucky, market placement when they entered was entrenched by large companies that did not care about small customers at all.

and yet.

I'm very interested in this. I also have clients with very large usage volumes on CF
Welcome to Google I mean Twitter I mean Facebook I mean cloudflare support.
Last but not least, Stripe support.
To be fair, most of the stripe whiners I see on here are trying to do shady shit... like that guy last week who didn't think we'd connect the dots from his last shady stripe scheme.
Got a link? Curious what he was doing!
"Shady shit", aka nothing illegal. If it was illegal, there'd be police, not account closure.
Companies dealing with money often have AML obligations which means shutting down the shady shit before police or regulators get involved.
There's been a few stories of stores running on Stripe for months, before hitting it big and being shut down. AML would shut this shit down immediately, not after months.
I haven't even used Stripe yet but I'm wary of ever relying on it from all the horror stories. It's almost become common sense to use two payment provides, and just rotate between them. More work but when one goes wrong, it's only half your income gone not all of it.
i'm about to move a significant amount of traffic to cloudflare. holding off until i see how this is handled. Can you please update this to reflect the total time of service outage and time to resolve. As a busy tech company, this is an unneeded problem. We pay cloudflare to be fast. Not make our sites slow and unresponsive.
Outage started around 00:00UTC today.

I was able to contact via support chat to confirm it's indeed Cloudflare related issue as wasn't sure as it's not displayed in any form on Cloudflare dashboard that indeed account is restricted. That was around 8AM UTC.

Since then I also contacted with sales team (got the details already as they approached me in last few weeks as mentioned before) in order to upgrade to Enterprise plan as it seems like the only solution, but did not get the quote yet and account is still restricted.

> Since then I also contacted with sales team … in order to upgrade to Enterprise plan as it seems like the only solution

Talk about coercion.

Considering that you weren’t, technically speaking, violating any terms of service, this response from them leaves a very bitter taste in my mouth.

Good luck, and thank you for sharing this with us all.

The correlation between between being contacted by Cloudflare sales and the throttling should serve as a warning for other customers.
Seems like blackmail from the Cloudflare side. Waiting for a quote while having an outage doesn't give any negotiation possibility.

However, good luck. And hope your enterprise contract with Cloudflare will be limited only to amount of time you need to migrate from their platform.

Your biggest mistake is building a service that depends on a single vendor. Where's your redundancy? Where's your failover?

Creating a HN post is not a proper failover strategy.

All vendors do crap like this. They often have automated systems that sometimes make mistakes. It's your responsibility to build a system that takes these failure points as a reality and build working redundancies and failovers to keep your service online while you sort them out.

By now most SLAs are already breached
How are you using the workers? Is the JSON cached? Where do you get the JSON?
I'm using Workers as basically API gateway/smart load balancer to backend services that handle actual load (resource intensive data filtering). Most of the responses are not cached on Cloudflare level. Thing is that I was using Workers for about 4 years already with not issue at at all, I'm aware that I use lots of requests and bandwidth but I just wish I was contacted about mandatory upgrade before effectively turning my service down.
How much are you paying for the workers/month?

Why didn't you use the load-balancer service?

(comment deleted)
> Why didn't you use the load-balancer service?

Speaking from experience, if you only need rudimentary L7 load balancing, then Cloudflare Workers is as good as it gets.

> How much are you paying for the workers/month?

Per my estimate, probably between $600 to $2000 for Workers: https://news.ycombinator.com/item?id=34639930

> Speaking from experience, if you only need rudimentary L7 load balancing, then Cloudflare Workers is as good as it gets.

What would you do in Workers that you couldn't do with Load Balancing? LB handles origin health, can do traffic steering, session affinity etc included. With Workers, you'd need to take care of all that.

I see a point if the Workers do some lifting / caching / transforming etc before passing on the requests, but as a simple load balancer, the actual Load Balancing service seems a better fit.

You're right: Workers are not a generic L7 load balancer, but of course plenty useful for the other stuff you point out (for ex, transformations and caching).
That’s interesting.

I’m using cloudflare pages with workers doing the same as you on a much smaller scale. The workers reverse proxy a rest api under the same host so I don’t need to worry about CORS, take the country HTTP header provided by Cloudflare then route the request to backend servers in the nearest AWS region and also cache any responses with cache control headers utilising Cloudflare’s Edge caching. It works great and gives a fast user experience regardless of where you are in the world.

I was going to implement rate limiting backed by durable objects to protect my backends.

It seems exactly the usecase and ideal usage of workers! Now seeing this, it has me rethinking using/investing in cloudflare if they can decide if they like how you use workers or not and kick you off. It shouldn’t matter what output the worker generates as long as it conforms to https://developers.cloudflare.com/workers/platform/limits/

I recently signed up to CloudFlare for their Yubi key deal that was still being advertised on their website. A week later I received an email saying only customers subscribed by a certain time could claim the offer.

I asked them to delete my data or provide the Yubi offer and they did neither. So they sit in an email folder known as bad companies. Because my data has value and they lied to obtain it for their own gain (aka fraud).

In Canada we have private prosecution/rules about falsely acquired data. Every bad story on HN puts me closer to opening that folder up and ensuring my data costs at least 100k.

Enough is enough.

There isn’t a practical way to fractionate their revenue or determine what proportion of their profit is derived from your data. This can be proved by the fact that there is no way to make any money with only the data you gave to them separated from the rest of their customers and potential customers. Therefore you are entitled to all of their revenue. Please clean out their shareholders and destroy their business. They deserve this for not cooperating with you. It would be very low cost or low effort to correct their mistake and they are choosing not to because it is easier.
Sure there is a way. In fact, there are many ways. CAC/ conversion ratio would give you the value of a quality lead.
Also want to be kept updated on this issue since it touches some clients of mine
Literally just sent an email to my devops guys to move off cloudflare asap. This cavalier lack of respect is a diservice and insult to all the people who rely on my product for their livelihood.
Are there any good alternatives that you (or him) already looked into?
Not OP, but we run two environments each of our service on Cloudflare Workers, Deno Deploy, and Fly.io (a small service albeit, 200 to 300 requests per second). In the event one is down, we switch to the other (via DNS).
This, my system architect friends, is the proper response.

Do NOT put all your eggs in 1 basket. Build redundancies and failovers so no 1 vendor can shutdown your business.

we had already been discussing amazon s3 since we are on aws. As clunky as aws can be, you can get in touch with a human if you need to.
You’re changing your arch because you saw a one-sided completely unverified post on HN?

At this point @jgrahamc has the worst of it - people show up here time after time hoping they can make enough of a stink to get him involved.

When they could just email me (jgc@cloudflare.com)
Funny. That's what OP said:

> I would fully understand that I am required to upgrade, but why not sending me an email before shutting down my business completely?

The fact that stuff needs to be raised at all is the problem.

Clearly something has gone wrong if customers get treated this way.

Before piling on too much more, here ...

... Cloudflare has a lot of customers[0]. They have to balance the cost of providing (a lot of) human support against the cost they can reasonably charge for their products. It's a balancing act, and one that has worked out well for me, personally. It sounds like this issue is happening related to R2, which is quite new.

You're not likely to see a post hit the front page with the title "I've integrated Cloudflare's products with 30 or so customers and never had an issue" (or even be written). But experience an issue this large and you're going to do everything -- make calls, post things to social media, reach out on HN where you know the CTO is an active participant -- and a lot of those are going to get attention from the small percentage of customers who felt wronged by CF but hadn't spoken up.

It's a crappy situation because it gives the impression that things are a mess when -- I'm willing to bet -- it's something along the lines of a problem in a quota checker and a failure of internal process to escalate the problem appropriately. That happens at every big company in various places all the time.

Really, the only major difference here is that unlike every other big company, their CTO actively watches Hacker News. When a problem pops up, he willingly chooses to be Customer Service and from the sounds of it, that escalation to address "problems like this" is now happening. There's going to be gaps like this at every company. When I worked at "BigCo", if something like this hit the front page of HN, you could expect a mess of people to have their phones ring. Work would be done to respond to the customer (variations on "acknowledge/minimize/suppress" communications -- on official company hosts). Staff would be forbidden from interacting in the ongoing discussion. The CTO might have had to have explained to him how to get to the web site containing the complaint.

[0] I don't work for them; I'm just a happy customer so everything here is my view from the outside.

I wouldn't say it indicates there's a mess, just that there's clearly some sort of broken process somewhere.

1. The customer is deplatformed without any notice

2. Customer support is failing to act on a false positive in a prompt manner and the customer has no recourse but to kick up a stink publicly

Both of those are fixable problems and I agree that it's generally a positive to see a company's CTO act in so public a manner. That doesn't mean they shouldn't try to improve things from an internal process perspective though.

Dear John, I absolutely love and admire Cloudflare’s services as a customer (and recent investor), but please please get stuff like this sorted as it will absolute ruin Cloudflare’s reputation in the long run. I beg you!
Believe me that this is what I'm doing. I'm really disappointed this customer got into this state and I'm working internally to figure out why it did.
Worrying part is the account could get banned. Could you reply here if that’s true? Would that take down dns/registrar etc functionality? Google does this and people would move to cloudflare thinking you wouldn’t do this account ban but nowhere is it stated.
This happens all the time though. Your business and processes are fundamentally broken.

And all you do is pop up on HN anytime someone complains, that's enough of a red flag to avoid your business completely and actively keep all my clients away from you.

I'm working an audio hosting SaaS and relying on Workers to stream and cache audio.

What can I do to prevent this from happening to me and my users?

This would be disastrous for my company.

Had similar issue in recent past, and was able to get it solved via the Discord channel. From what I understood is that it requires a manual over-ride on R2/ Workers because the thing that checks for the 2.8 TOS violation is not able to see the difference between Workers/ R2 and the standard CDN service.

If you go to the R2 Discord channel you see this happening every other week.

What is also kinda annoying is customers can't create support tickets because it requires a plan. Which imo is bad given these customers pay for R2 and often have a ton of data on it (which is why the 2.8 gets hit...).

Hopefully you can get this fixed permanently (for all customers at once, and not case-by-case).

The fact that you just post your e-mail address and invite your (likely many) customers here to reach out to you would probably surprise me from another company.

I've been doing this long enough that just about every major vendor I've worked with has had (and taken) the opportunity to disappoint me with some unreasonable decision/change and even an occasional (unwarranted) account suspension. I think I've convinced every customer I've worked with to purchase a Cloudflare subscription. I've worked with support once and I've worked with someone handling the beta testing for Warp (a Romanian gentleman -- he called me and shipped me a T-Shirt).

The two people I talked with didn't have to tell me they enjoyed their job. You could hear it in their voice. The guy I talked to about Warp was as far from a salesperson as someone could be, yet he couldn't help explain some of the details about how interesting of a product Warp is.

I can't count how many times I've pointed people at the Cloudflare blog to learn about "how all of the stuff between your code and the user's browser 'works'". I remember reading a post several years ago thinking "they're basically explaining how they achieved a major competitive advantage well enough for a competitor to duplicate." I didn't think that it was a bad idea to do so -- realistically, it didn't represent a loss of IP -- I'm just surprised so much energy/time would be spent writing highly technical posts that sometimes "give away secret recipes" in a sense. It's wonderful from where I sit.

I expect the HN crowd will recognize that people who have a problem/issue/incident with a company/product are a "flobbity-jillion" times more likely to write a post (and have it hit the front page) than a guy like me who's had 30-ish opportunities to integrate your products into things I've written and have been delighted every time.

I have a question that I couldn't find on the help docs: I got several domains on the early bird Pro price. Do you plan to discontinue the Early Bird pricing this year with the pricing increase?
Money is not free, the cost of money has gone up considerably in the past 6 months. I haven't seen any indications that money will be cheaper anytime soon.

All "VC funded" "free tier" and the like will be put on the back-burner. If you know anyone with a small datacenter and a decent peering agreement (3 lines of at least gbit) now would be the time to kick money their way, and tell everyone else to.

It was tough times for small companies these past several years. Imagine trying to compete with netflix when their price was "all you (and everyone you know) can eat MP4s for $8". I actually cancelled my netflix subscription as we weren't using it anymore and the price was creeping up faster than siriusXM subscriptions.

I know this is edgelord to post on a VC forum, but I haven't seen any indication i am wrong yet. Big news is 80,000-120,000 tech workers being laid off by the big 10, but what about all of the layoffs at smaller companies that are VC funded? What's that number look like?

There's a number of users in this thread who describe being "ghosted" by your sales team, including for tens of thousands of dollars per year subscriptions. It seems like the email responsiveness you're personally offering does not match with what some people experience from Cloudflare in general, so I'm not surprised people wouldn't think to email you and expect a response.
sorry, I did HN post in desperate move so my service can be online again - did not try to blame anything on @jgrahamc - other than that incident I'm very happy with Cloudflare Workers, it's an awesome tech.
we use cloudflare for their dns so not a complete change of arch. (this kind of lockin is precisely why I've stayed away from faas)

more importantly, its important to send a message. We depend on these services for our livelihood. if I'm paying for a service, the least I'm owed is the ability to get in touch with a person to rectify the situation as soon as possible. Companies who want other companies relaying on their service need to provide that if they want to be taken seriously.

EDIT: also, not to knock jgrahamc. appreciate that you're looking into this but one person on an email is not a scalable customer service solution for B2B. at the very minimum, there should be some sort of platform for filing the tickets, getting a timeframe on resolution as well as options to pay for faster turnaround.

If you’re using Cloudflare for DNS/registrar they have pass-through pricing. It’s a loss for them - you’re not paying for anything.
Thats even more reason to switch to Route 53. I didn't choose cloudflare at the beginning but its clear its a bit of a liability here.

To put it in perspective, we had to send out apology emails to very irate customers when our system went down for 10 minutes in December.

edit: Route 53 not S3*

You use Cloudflare for DNS but are moving over to S3 to replace Cloudflare?

Do you not mean Route 53, AWS’s DNS product?

Totally agree they should have provided a warning. Any Saas (and really would apply to social media, web mail, etc) should clearly warn before taking drastic action if possible. But I don’t see how you’d have dns without vendor lockin. It’s not like moving dns to godaddy would be better. Route53 is nice, but aws is also a vendor lots of people are locked to

Similar for ddos protection- you almost have to use somebody.

If your arch has a single point of a failure its probably wise to remove it
This is the height of knee-jerk reactions, worse still it's largely pointless. Unless you're big enough to negotiate a specific contract with a cloud provider you're always going to be at the mercy of their catch-all policy.

The only way to actually be protected in this case is to run a multi-cloud strategy. Even then it's only going to protect you so far if you piss off the powers-that-be / community (see the hosting trouble Parler had as an example, not that I'm fond of Parler or anything).

If the redundancy is already in place to not fully rely on cloudflare's product (whatever it is, DNS, R2, etc) the it's not a kneejerk reaction.

It's an "I don't want to wake up to all our stuff running only on the backup provider because cloudflare shut us down for seemingly no reason with no warning".

It's avoiding unnecessary alerts and triage for the ops team by snipping an apparent liability from the stack. I've already done the same after seeing a few of these kinds of interactions with cloudflare in the R2 discord.

When I see a blog post detailing why this has been happening so often, and what they've done to fix it, I'll happily pull that infra code out of the mothballs.

So instead you're running only on the backup provider now. Congratulations on invalidating your multi-cloud strategy. You've failed to understand that the core reason you had that strategy is that any of them can let you down.

Every single one of the cloud providers has had instances of this kind of problem. It's somewhat an inevitability of the way they all work. Eventually someone triggers an automated system somewhere and gets taken down. Or has outages that they shouldn't have had.

Better cloudflare where the CTO hangs out on HN, than Google where both the ban and the appeal are not even humans with empathy.

(comment deleted)
Sales said something would never happen...
That's almost the same as Sales promising that the feature will be available in the next few weeks..
I've recently dropped and then readded (a few months later) a zone to Cloudflare for a domain only I ever owned. And they refused to add it for "policy" reasons, so I had to wait a week or so until Cloudflare just unlocked it without providing any rationale.

It's not a company I trust to not randomly screw me over out of the blue anymore.

Wow that's a whole lot of ire, rivalling some other large tech firms. Definitely worth investigating. I consider Cloudflare to be an annoyance generally but I hadn't put it in context to what they ultimately have control over.
All of that is well known surely, it's still the site owners choice, including whether to block tor traffic which is often the source of these issues.
that site needs an editor. Like a human editor, so that everything is consistent looking.

And whatever happened to ngate?

Very similar to this other one https://news.ycombinator.com/item?id=34235237

I just repost the same comment I put in the above thread

> The thing that scary me most is that his business get shut down without any notice period (at least the author not mentioning any previous communications from Cloudflare team about the issue).

> This is really a shitty thing from Cloudflare, you cannot shut down an already running business without any notice/grace period.

I disagree. The other one was a clear case of someone knowingly breaking the TOS (same non-HTML content but in that case they were hosting a service which almost exclusively returns non-HTML content). The OP even admitted in the comments that they knew very well they were breaking the TOS but wanted some notice.

I don’t really feel any sympathy for that poster. They knowingly broke the rules, they had to have known that CF could come and shut them down at any time, and they still went ahead and threw the pity party knowing that they are pretty much entirely in the wrong. It’s very much a “play dumb games, win dumb prizes”.

Would it be nice for CF to give a heads up? Sure. But I don’t think it’s required, and especially not in an egregious case like that one.

See https://news.ycombinator.com/item?id=34642984 I wasn't breaking the ToS at least not 2.8 (non html content) - my point was that I can understand I'm heavy user of the Workers and built-in pricing may not be economically feasible for CF to serve me hence push to Enterprise plan - I get it, just wish it was communicated to me clearly and beforehand my site went down.
Specifically was talking about the GP comment’s link to the other post, where they very explicitly and knowingly went against the non-HTML clause. They were running some sort of image SaaS product where the vast majority of their (non-Worker) usage was images.

I think that case is different than this one because it was very obvious that it was against the rules, to the point where even the OP of that post came in to say that yes, they knowingly violated the TOS but would have appreciated a heads up.

The comment I was referring to: https://news.ycombinator.com/item?id=34235749

Sorry for the confusion, I tried to separate using “this post” and “that post” but I’m sure I slipped up somewhere there.

In my opinion, it doesn't matter.

They "tolerated" a non-compliant use of their service for so long time (maybe because in the past their only goal was to increase adoption?!?) and suddenly they decided to change strategy?! No problem, it's their choice, but adding an x days grace period should be the standard. It's really easy to do.

> Would it be nice for CF to give a heads up?

Well yes, it will be really welcome. Mostly for all other their user(1/3 of internet or something like this) that maybe doesn't even know there are not full-compliant to TOS and risk their business to be terminated suddenly.

> Mostly for all other their user(1/3 of internet or something like this) that maybe doesn't even know there are not full-compliant to TOS and risk their business to be terminated suddenly.

Warnings are nice, but it's ultimately the user's responsibility to read and understand the TOS, what they can and can't do. Ignorance is no defense. Just because you didn't know murder is illegal does not mean you can go kill random people and claim "oopsie, I didn't know, I wish you had warned me ahead of time".

> suddenly they decided to change strategy

They never changed strategy. It has always been explicitly against the TOS and explicitly mentioned as something you can't do in their documentation. Just because someone is below the threshold for Cloudflare's automated detection does not mean CF is allowing their use. Their use is still against the terms they agreed to, it's just not detected yet. If you are doing things you know are against the TOS, like that other poster, then you should very well know that your time is limited and your access can be yanked at any point in time.

> Warnings are nice, but it's ultimately the user's responsibility

It is actually ultimately the responsibility of the company, cloudflare, to clearly communicate their rules and ToS to the users. Because they are the multi-billion dollar business, and making things clear is their responsibility.

Throwing your hands up, and blaming confusion on the user is a way to rightfully cause users to hate you, and rightfully cause you a large amount of monetary damage as people decide that your company is not worth the risk.

Or even more, a user is within their right to cause large amount of monetary damages to the company, via viral social media outrages, such as this one. PR damage is real, and is a totally valid tactic, that a large company deserves, if they are making mistakes like this.

And it seemed like the damage caused by this post was very real. Cloudflare executives are posting in this thread.

So, actually, I would say that it is not just nice, but obligated to provide warnings, elsewise you get a situation like this, which is causing real damage to the company.

How, exactly, is the TOS and pages mentioning this limitation not clear?

I mean, it was clear enough for the other OP to know they went against it. They didn’t need to be told, they already knew their usage was against the TOS and just didn’t like that Cloudflare decided to enforce the rule they very well knew they were already breaking. They even said it themselves.

I already even said that is why I don’t agree the issues are in any way the same, but you opted to ignore that and continue down your diatribe of “it’s always the company’s fault”.

> Throwing your hands up, and blaming confusion on the user is a way to rightfully cause users to hate you, and rightfully cause you a large amount of monetary damage as people decide that your company is not worth the risk.

TIL that users are just allowed to do whatever they want with no repercussions because it’s too difficult to read the agreement they signed. The one that tells them what they’re explicitly not allowed to do. But no, definitely the company’s fault that a customer was taking advantage of them and their services. Totally.

> Cloudflare executives are posting in this thread.

So? People post here all the time. “HackerNews support” is a trope at this point and says nothing but that executives want to do damage control. It says nothing about the TOS being clear on the issue.

> Just because you didn't know murder is illegal does not mean you can go kill random people and claim "oopsie, I didn't know, I wish you had warned me ahead of time".

It's a wrong comparison. I'm not saying that people that are abusing CF's services are not guilty.

> I mean, it was clear enough for the other OP to know they went against it.

The point is not about these specific cases(in the one I posted it's definitely user's fault, this one is more ambiguous) but how CF acts.

The automatic/human process inside CF that decided to "ban" doesn't know if users are aware or not. They just assume (as you) that's user's fault and proceed with the "ban". While, if I'm running a service for months or even years and no one complains, there are a lot of good reason to assume that I don't do anything wrong.

Imagine that you have a totally compliant service but, because of a bug in their detection mechanism, your service goes down, and it takes days or even weeks to clarify everything with them and bring it up again.

It's an insane "default".

I mean, for CF nothing changes if they give you an x days notice but for your business changes a lot and (as mentioned before) when you run 1/3 of internet it's not only about the TOS.

>
> Something being "clear" only matters, in so far as it is understood. That is my definition of "clear". It is only clear if it is understood, no matter what, or how clear you think it is. It is defined as unclear, if it is not understood, commonly.

> I mean, it was clear enough for the other OP to know they went against it. They didn’t need to be told, they already knew their usage was against the TOS and just didn’t like that Cloudflare decided to enforce the rule they very well knew they were already breaking. They even said it themselves.

It's evidently clear. Did you even read the thread we’re talking about? Like even remotely? Or are you continuing on the same diatribe regardless what was clearly already written?

> I am not saying I am right. I did break the TOS. They have the right to do what they did. It's just not nice and I don't like them anymore :)

This is not a person who was confused. Period.

>
Says who? You are not the arbiter of what is clear. The examples shown, you know, the ones we are actually discussing, show that it’s clear.

That you chose to discard them is on you. But that doesn’t mean they just magically don’t exist.

.
Ignorance continues to be no defense but whatever you want to believe to help you sleep at night, bud.

Here’s a gold star, champ.

"
The issue has been fixed; if you were to actually read the comments you may have discovered that. But you’ve made it clear that’s not something you partake in.

Once again, whatever you want to believe to help you sleep at night.

Are there no laws around account removal/shutdown? In the future I will be actively asking service providers their procedures on account shutdown.
(comment deleted)
What even is the restriction on returning JSON? One of the examples is explicitly how to return JSON

https://developers.cloudflare.com/workers/examples/return-js...

From the terms

> 2.8 Limitation on Serving Non-HTML Content

> The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) *or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8*. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service *or expressly allowed under our Supplemental Terms for a specific Service*. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.

Supplemental terms

> The Cloudflare Developer Platform consists of the following Services: (i) *Cloudflare Workers*, a Service that permits developers to deploy and run encapsulated versions of their proprietary software source code (each a “Workers Script”) on Cloudflare’s edge servers; (ii) Cloudflare Pages, a JAMstack platform for frontend developers to collaborate and deploy websites; (iii) Cloudflare Queues, a managed message queuing service; and (iv) Workers KV, Durable Objects, and R2, storage offerings *used to serve HTML and non-HTML content.*

I can't quite figure out how to parse this such that workers would be deemed unusable to just run an API.

I'd absolutely have gone ahead with using it for an API.

Seems like my account was restricted due to https://www.cloudflare.com/en-gb/supplemental-terms/#cloudfl...

2.Cloudflare may, with or without notice to you and without liability of any kind, temporarily limit your storage and/or the number of requests you can make or receive using the Developer Platform for any reason (in its sole reasonable discretion), including without limitation, if processing such requests would put an undue burden on the Cloudflare network, adversely impact the Service, or otherwise threaten the integrity of Cloudflare’s networks.

To be fair I'm using lots of requests and bandwidth so could be reason, just if only I got an email about that before shutting everything down.

Out of curiosity, are you connecting to third party websockets from your workers?
no, I'm not using WebSockets at all in Workers.
Unless you saw a huge spike I feel like not letting you know before is totally unacceptable.

Also, while that's in the terms that's a generic get out clause I know they need but doesn't at all help you figure out what services are ok.

Unless you saw a huge spike I feel like not letting you know before is totally unacceptable

I agree... sort of? I mean, this is Cloudflare, right? It isn't as if a huge, legit traffic spike should tax their infra.

IMO, there should be zero shutdown for any long term client, for any reason, at all, ever, without an form of contact.

So weird to have stable uptimes, then support saying "we sorta think you were blocked because..."

So, even account info, with a valid "block" reason, isn't available to their own staff. EG, even their own staff aren't notified?!?

This is sales 101. Mega-simple stuff.

"Hi! You are doing bad thing X, and it needs to change, but we can fix that right now! Let me help you..."

Not getting a warning scares me. I moved hosting large GB+ files from DO Spaces to R2 for the free egress and have served 1 petabyte in January alone saving thousands of dollars.
I think what you're showing here is the safety net that protects them if they make some missteps trying to execute what's covered by other policies. But it seems like the heart of your cancellation is the interpretation of 2.8, i.e. them deciding (probably in an automated way) that the stuff you were serving via API (significant volumes of trading data, I'd gather) does not qualify as web content.

It's definitely an unfriendly combo to have (a) a really ambiguous policy like 2.8 and (b) enforcing via a no-warning cutoff -- even if the two policies have good justifications individually. But I wouldn't jump to the conclusion that part (b) is part of the sales strategy. (Part (a) obviously is meant to incentivize a paid account for applications like yours.)

Cloudflare has non-transparent pricing, unlike AWS, which will charge you for every thing with detailed usage tracking.

When ever there is non-transparent pricing, it's scary to try and use an infrastructure related service.

The sales teams can't go around saying that you are not a profitable customer, and they can't argue with the marketing team to be more honest about pricing on the pricing page.

So, end result, let's bump of these small free loaders. Large enterprise deals is what gets us the bonus anyways.

I like fly.io pricing in that sense. And I am sure there might be others offering a more transparent pricing, otherwise like me still stuck on AWS.

This is the big issue. There is always tension in these “free” setups.

I get more worried when the giveaways / marketing is VC funded - they often end at some point or pressure inside to dial back etc.

“We have free egress to Oceania!” - no, you don’t. You are subsidizing that.

Given what aws charges and how they charge for almost everything- no reason to be any pressure to move me to another plan. AWS free tiers are relatively minuscule

My perspective looking at them and other options for a bandwidth-heavy, largely non-HTML load a couple years ago:

1) All but the top self-serve plan ($200 at the time) wasn't worth anything for a business past the "finding a market" stage. No SLA at all under that level (at least, at the time)

2) The $200 plan, though, is actually a hell of a bargain. You get a lot for it. If your load is almost all HTML/CSS/JS and some light-ish worker use. And (allegedly, see #5) your bandwidth use isn't crazy high.

3) They basically don't care about serving any need between the top self-serve plan and a ~$5,000-to-start Enterprise plan. If you don't fit in the top self-serve but are under that level...

4) Surprisingly, given their reputation at the lower levels of service, in the Enterprise tier, they weren't competitive on bandwidth. If the main thing you need to do is sling bits, you can do that quite a bit cheaper elsewhere. Overall, they seem to want customers who need lots of their services, not just any one component. If you don't need their various corporate VPN type products and a bunch of other stuff, they're a bad fit.

5) We were told by a competitor that OP's experience is common and is often perceived by customers (their perception, mind you) as a bait and switch (see also: that huge gap between self-service and enterprise, in which they offer no options). Now, the competitor has some self-interest there, but even the non-sales guys on the call instantly kinda smirked and shook their heads when I mentioned CloudFlare.

6) We were told incorrect things by CloudFlare's sales folks. If we'd followed their advice, we might be OP.

It seems like the $200/mo plan and below are subsidized by their marketing budget, and the various ToS terms are there to give them discretion over whether those users are worth it or not: either low-cost users who are using too many resources, or users who they think they can charge more.

I investigated Cloudflare and the $200/mo plan seemed to good to be true so I contacted sales who verified that yes, it was too good to be true and my usage of the $200/mo plan would violate their ToS. They initially quoted $5k/mo over the phone, and then came back with a formal quote with a number much higher than that.

My take is that Cloudflare's product is so good that they can get away with any kind of sales practices they want. It's like shooting fish in a barrel: just analyze customers on the $200/mo tier and find the ones that look like they could spend way more. It's not even wrong in concept: sales upselling is SOP, and the low-cost tiers provide a lot of value to people who couldn't otherwise afford what they're offering. But the combination of the two sure leaves a bad taste in my mouth.

AWS doesn't have transparent pricing either, but in a different way. Yes, you can use more and more bandwidth and know exactly what you'll get charged, but once you get to Cloudflare Enterprise levels of bandwidth the AWS sticker prices would be astronomical and everyone negotiates non-transparent lower rates.

Well this isn’t good. I’m leading an effort to move some of our services and about a hundred domains over to Cloudflare.

Given all of this I think we’re going to have to push pause and see how this shakes out.

Maybe they booted you because your business model is to use Cloudflare to repeatedly and aggressively scrape data from cryptocurrency exchanges and then resell it for hundreds of dollars a month.

Sounds like an abuse of their terms of service to me.

Cloudflare is not used at all for data collection (it's not scraping, it's using official exchanges APIs), only for the APIs that serve historical data.
Aren't all users or CloudFlare doing [ACTIVITY] to resell something for profit?

What planet are you on?

Word of warning: don't use cloudflare

Or really any service that has it written that they can end your business without notice~

> ...anyways I get it, perhaps I pay too little and should be on enterprise plan already

If you're on Workers Unbound, you're probably paying closer to ~$800/mo for 4b requests; or if you're on Workers Bundled, then ~2000/mo. What were you quoted for the Enterprise plan? I thought those start at $1500/mo?

> I thought those start at $1500/mo?

I wasn't able to get them to size something down under high-$4,000/m, when I looked at this a couple years ago. They acted like I was being annoying just for thinking there might exist any option between $200 and $5,000.

We ended up somewhere else that was much cheaper for the actual service we needed. Every other company in this space I talked to was happy to come up with a plan that fit our needs and didn't include stuff we didn't need, plus their (negotiated, not public) outbound transfer rates were in every case cheaper than what CloudFlare's sales team offered us. They'd even offer high-touch onboarding help in that sub-$5k/m range (I didn't ask, they just offered)

I think our spending's actually over $5k/m many months, now, but it'd be even higher at CF since the best rate on transfer they offered us wasn't great. I gather the actual customer demo they want is big, complex enterprises that need tunnels between multiple physical networks, oddball proxying set-ups, and stuff like that. That's not us, so they weren't a good fit—but what's weird is their self-serve plans look like they're trying to court use cases closer to ours, while they have no decent options for smoothly sizing up past that.

Thanks. Appreciate your response.

Crazy to think that Cloudflare who are super aggressive napping up upstarts looking for cheaper alternatives to the Big 3 (Azure, GCP, AWS), are this incompetent in closing out Enterprise deals. I thought they were as adept at Sales as they are at Engineering.

Sad it happened. This highlights why it is important to reduce your exposure to external services. Right now I just deploy on bare metals servers and are ready to move them if need to. As they say, there's no cloud - just someone's else' computer
Do you manage your own global CDN network?
(comment deleted)