Ask HN: Are there good Cloudflare alternatives? e.g., edge cache, firewall

31 points by wanqu ↗ HN
Contexts -

Relying on Cloudflare to be the gateway of all of our production traffics is scary.

Currently we are on Enterprise plan, but we don't know if phone support is possible and email support is very slow - typically takes a few days for one reply. We have an open ticket opened ~1 month ago and they still can't answer some basic questions.

Can't imagine what to do if there's big outage on their end or mistakes made by their human operators.

Ideally, there's a good Cloudflare alternative, and we can easily update our dns customer server to point to that alternative when Cloudflare has outage (or caused by their human operators mistakes).

45 comments

[ 4.6 ms ] story [ 174 ms ] thread
Opportunity:

Build a cloudflare alternative (some core products), and provide exceptional customer support - maybe at AWS level is acceptable.

This is something I've looked for many times before. I actually don't want the CDN side of Cloudflare (some parts of my app are incompatible with the way their CDN works), but I do want the WAF. But Cloudflare doesn't let you disable the CDN side of their service. It's all or nothing.

Anybody have alternatives to Cloudflare's WAF?

Have you looked at the WAF from AWS? I am using it on one of my sites to add a rate limit and it was reasonably easy to implement.
I have not. I'll have to see if it's compatible with Heroku.
> But Cloudflare doesn't let you disable the CDN side of their service. It's all or nothing.

Are you sure about this? It's been a year or so since I've used it, but I remember being able to disable a lot of specific performance/caching stuff (where the CDN comes in) via its Page Rules and "Cache Level - Bypass": https://developers.cloudflare.com/support/page-rules/underst...

Yes, unfortunately. I've confirmed it with their support. Requests always hit their CDN. For example, set up a small server that sends the following response headers:

    Date: <current server timestamp>
    Original-Date: <same as Date>
Cloudflare will always rewrite the Date header, you just won't notice it until the Date header happens to fall on a time a few ms from the next second (e.g. Wed, 13 Sep 2023 22:02:51.999). This is because by the time Cloudflare processes the request and overwrites your Date header, the Date has changed, causing the Date header to differ from Original-Date.

This resulted in a considerable headache on my end [^0], because the Date header was being used for cryptographic signatures. So 1/100 requests would have an invalid signature for no apparent reason. But the reason was Cloudflare not acting as a good proxy, overwriting the Date header that had already been set.

[^0]: https://news.ycombinator.com/item?id=28157629

I see. That's a good find. Thanks for the details! And sorry about your edge (no pun intended) case.
is using your own headers for date not the solution here?

I'd imagine a lot of proxies in general will overwrite that date. At least on the corporate proxy side of things.

It's the ideal solution (and one I already implemented with a Keygen-Date header), yes, but this bug was discovered months after the feature was introduced and relied upon (I run an API product). So it's not as simple as using a different header, since previous clients will still be on the Date header. Backwards compatibility can be a bitch.
Will your solution work with any CDN at all? It seems the issue is not specific to Cloudflare.

`Date` is a registered field [0] used by origin server as defined in RFC 9110 [1]. Any CDN server will add its own date to that header since it's acting as the origin server for that request.

For Cloudflare in particular, you could try setting Cache-Control to Private=Date and see if the edge cache skips the override [2].

What you want seems to be a tunnel with WAF. In that case, a Cloudflare Worker might be a workaround to the native caching layer but I'm not sure if that has any effect on the edge device updating the Date header or not. Workers do support WAF.

0 - https://www.iana.org/assignments/http-fields/http-fields.xht...

1 - https://www.rfc-editor.org/rfc/rfc9110.html

2 - https://developers.cloudflare.com/cache/concepts/cache-contr...

I don't know, and that's why I want a WAF without a CDN. I don't need a CDN at all, and I wish I could disable Cloudflare's.

But per RFC 9110 [^0], "the Date header field represents the date and time at which the message was originated." The message comes from my server, not Cloudflare. If they're getting the message from me, i.e. it's not cached by their CDN, they should leave the Date header alone because the message didn't originate with them. [^1]

Maybe I have a misunderstanding of where Cloudflare sits as the "origin server" when their CDN isn't used for caching (i.e. it's bypassed as much as is allowable). I would think my server is the "origin" and theirs is the "edge."

And unfortunately, workers do not allow you to set the Date header -- Cloudflare support and I already tried that a couple years back (i.e. setting Date = Keygen-Date via a worker).

I will take a look at 2. I doubt that'd work, but it's worth a try.

[^0]: https://www.rfc-editor.org/rfc/rfc9110.html#name-date

[^1]: https://httpwg.org/specs/rfc7230.html#rfc.section.5.7.2

Yeah, looks like CF should not consider itself the origin, at least if the request wasn't cached.

But I'm thinking the edge cache is dumb. Some of their docs mention that requests that aren't cached are actually just revalidated and cached at the edge (probably TTL=0) and then served by the dumb edge cache... and they didn't consider they shouldn't be entitled to be the origin in that case.

Fastly has one too, but I don't have direct experience with it:

https://www.fastly.com/products/web-application-api-protecti...

Imperva also has one, but I can't recommend that one. We had them before Cloudflare and they were ridiculously expensive and not very good. Cloudflare was dramatically better and several orders of magnitude cheaper. That was back in like 2015 though so maybe it's different now.

Looking into Fastly WAF now. Thanks for the recommendation.
I don't work on that team, but I work _with_ that team and consistently hear that people think the support is excellent, so be sure to ask about that as you reach out to them.
I mean, have you talked to Akamai?
There are a bunch of alternative CDNs, from what I found late last year there are basically zero other unmetered CDNs though - they all charge for transfer costs, so if your outbound traffic levels are high, it may be prohibitively expensive to change to an alternative CDN.
Paying a few thousand bucks annually is not enough to get no-bs customer support :)
Entreprise is minimum 12k/yr but it's typically more than that. It absolutely should entitle you to no-bs customer support.

Big tech lowered the bar so much that y'all just have Stockholm syndrome...

I think Fastly offers some similar products: https://www.fastly.com/edge-cloud-network/

But Cloudflare offers a lot of features/services. What specifically are you trying to find alternatives for?

Essentially we just need 1) edge cache to cache response from our website / api 2) and firewall rules
Fastly should be able to do both
I love Verizon's Edgecast cache feature. It just works so well.
We are using Cloudflare enterprise as well and have a phone number to call, including an SLA for P1 support tickets, which I believe is 2 hours. [0]

Never had any issues with receiving solid support but our account manager has been super good. I will say there's been a lot of turnover after they went public but overall the service has been solid for our use case. (delivering terabytes of peer data and analytics a month)

Have you brought any of these issues or concerns up to your account manager? Curious if they had any ways to help.

[0] https://www.cloudflare.com/enterprise_support_sla/

where to find account manager?

i don’t think we have one …

this might be a mistake from them or us that we didn’t get one account manager at the beginning …

is the phone number you use on the cloudflare website? or is it from some private conversation in email threads with your account manager?

we might do the enterprise plan wrong …

You may want to double-check your plan to ensure you're not on Business or Pro. If you are indeed on the Enterprise plan, information about your account manager and contact plans should have been in the onboarding PowerPoint they serve as part of the setup. If you don't have that, I'd follow the instructions in https://developers.cloudflare.com/support/troubleshooting/ge... I'd also consider opening a ticket asking about your account manager.
yes, it’s enterprise plan…

i’ll create a ticket to ask for account manager .

maybe there’s also a hierarchy of enterprise customers.

small-ish enterprise customers are not that valuable to them …

DDoS-Guard has many similar services. Based out of RU. Seems to be used by questionable services more so or a similar amount to Cloudflare. Only briefly looked into them but had trouble understanding pricing structure and what came with what. Ended up using CF.
Clour providers all have similar services, azure frontdoor is one example coupled with azure waf.

But honestly, no one really matches their quality of service and user interface as well as attention to detail. But a major reason to ditch them is that they may decide they hate your ip or browser just at the exact moment you need to do a critical change or troubleshoot something on their platform. The arrogance behind "shoot first, ask questions later" attitude is silly. If I can type in a legit user login with 2FA and I am a paying customer, no security control should block me at all. Google suffers from the same arrogance.

I would use CF for personal stuff but not for my business or at work.

I've been in the industry long enough that sometimes I wonder if we have all somehow collectively forgotten about nginx whenever this question comes up.
Indeed. Nowadays people want fancy UI and API, although the same can be achieved with much lesser overehead
(comment deleted)
I think a lot of it is the major influx of people that joined the industry in the mid-2010s that never had to write code before. They started on fancy UIs so that's what they know.
have you checked bunny.net? i deployed a cdn easily on their lovely ui, would love to hear other people's experiences on it though.

bunny for example doesnt have s3 storage api yet.

Bunny has been delaying the s3 storage for over 2 years. I love them but that is one complaint I have. I'm not sure what they are waiting for. They even said they are working on it many moons back.
i wish they just used ceph underneath to make it easy.
I'm launching a competitor for just these reasons ... https://skip2.net

Hosted DNS (so you'd just have to change your nameservers,) CDN, WAF, and all the other goodies like compression/image transformation/SSL.

I've got support on the list... What else do you want to see in a solution like this (anyone)?

Remove the word hate it will decrease sales
Make it extremely easy, like with the addition of an API key, to swap over to your service during a failover/outage.
Love this. Thank you!
Btw if you are thinking of doing this, how I have done it with other vendors, is use Terraform to export their config, then convert the TF data to my intended system. Rather than writing code to import based on their API because the APIs change and the Terraform modules are updated pretty fast to export the required data with SaaS vendors
Any plans for a terraform provider module? Can’t use to many services that don’t support automation.
After we launch our public API, we'll tackle integrations like these, almost certainly starting with a Terraform provider since it's so popular. Thanks for the suggestion.