Ask HN: Are there good Cloudflare alternatives? e.g., edge cache, firewall
Contexts -
Relying on Cloudflare to be the gateway of all of our production traffics is scary.
Currently we are on Enterprise plan, but we don't know if phone support is possible and email support is very slow - typically takes a few days for one reply. We have an open ticket opened ~1 month ago and they still can't answer some basic questions.
Can't imagine what to do if there's big outage on their end or mistakes made by their human operators.
Ideally, there's a good Cloudflare alternative, and we can easily update our dns customer server to point to that alternative when Cloudflare has outage (or caused by their human operators mistakes).
45 comments
[ 4.6 ms ] story [ 174 ms ] threadBuild a cloudflare alternative (some core products), and provide exceptional customer support - maybe at AWS level is acceptable.
Anybody have alternatives to Cloudflare's WAF?
Are you sure about this? It's been a year or so since I've used it, but I remember being able to disable a lot of specific performance/caching stuff (where the CDN comes in) via its Page Rules and "Cache Level - Bypass": https://developers.cloudflare.com/support/page-rules/underst...
This resulted in a considerable headache on my end [^0], because the Date header was being used for cryptographic signatures. So 1/100 requests would have an invalid signature for no apparent reason. But the reason was Cloudflare not acting as a good proxy, overwriting the Date header that had already been set.
[^0]: https://news.ycombinator.com/item?id=28157629
I'd imagine a lot of proxies in general will overwrite that date. At least on the corporate proxy side of things.
`Date` is a registered field [0] used by origin server as defined in RFC 9110 [1]. Any CDN server will add its own date to that header since it's acting as the origin server for that request.
For Cloudflare in particular, you could try setting Cache-Control to Private=Date and see if the edge cache skips the override [2].
What you want seems to be a tunnel with WAF. In that case, a Cloudflare Worker might be a workaround to the native caching layer but I'm not sure if that has any effect on the edge device updating the Date header or not. Workers do support WAF.
0 - https://www.iana.org/assignments/http-fields/http-fields.xht...
1 - https://www.rfc-editor.org/rfc/rfc9110.html
2 - https://developers.cloudflare.com/cache/concepts/cache-contr...
But per RFC 9110 [^0], "the Date header field represents the date and time at which the message was originated." The message comes from my server, not Cloudflare. If they're getting the message from me, i.e. it's not cached by their CDN, they should leave the Date header alone because the message didn't originate with them. [^1]
Maybe I have a misunderstanding of where Cloudflare sits as the "origin server" when their CDN isn't used for caching (i.e. it's bypassed as much as is allowable). I would think my server is the "origin" and theirs is the "edge."
And unfortunately, workers do not allow you to set the Date header -- Cloudflare support and I already tried that a couple years back (i.e. setting Date = Keygen-Date via a worker).
I will take a look at 2. I doubt that'd work, but it's worth a try.
[^0]: https://www.rfc-editor.org/rfc/rfc9110.html#name-date
[^1]: https://httpwg.org/specs/rfc7230.html#rfc.section.5.7.2
But I'm thinking the edge cache is dumb. Some of their docs mention that requests that aren't cached are actually just revalidated and cached at the edge (probably TTL=0) and then served by the dumb edge cache... and they didn't consider they shouldn't be entitled to be the origin in that case.
https://www.fastly.com/products/web-application-api-protecti...
Imperva also has one, but I can't recommend that one. We had them before Cloudflare and they were ridiculously expensive and not very good. Cloudflare was dramatically better and several orders of magnitude cheaper. That was back in like 2015 though so maybe it's different now.
Big tech lowered the bar so much that y'all just have Stockholm syndrome...
But Cloudflare offers a lot of features/services. What specifically are you trying to find alternatives for?
Never had any issues with receiving solid support but our account manager has been super good. I will say there's been a lot of turnover after they went public but overall the service has been solid for our use case. (delivering terabytes of peer data and analytics a month)
Have you brought any of these issues or concerns up to your account manager? Curious if they had any ways to help.
[0] https://www.cloudflare.com/enterprise_support_sla/
i don’t think we have one …
this might be a mistake from them or us that we didn’t get one account manager at the beginning …
is the phone number you use on the cloudflare website? or is it from some private conversation in email threads with your account manager?
we might do the enterprise plan wrong …
i’ll create a ticket to ask for account manager .
maybe there’s also a hierarchy of enterprise customers.
small-ish enterprise customers are not that valuable to them …
But honestly, no one really matches their quality of service and user interface as well as attention to detail. But a major reason to ditch them is that they may decide they hate your ip or browser just at the exact moment you need to do a critical change or troubleshoot something on their platform. The arrogance behind "shoot first, ask questions later" attitude is silly. If I can type in a legit user login with 2FA and I am a paying customer, no security control should block me at all. Google suffers from the same arrogance.
I would use CF for personal stuff but not for my business or at work.
bunny for example doesnt have s3 storage api yet.
Hosted DNS (so you'd just have to change your nameservers,) CDN, WAF, and all the other goodies like compression/image transformation/SSL.
I've got support on the list... What else do you want to see in a solution like this (anyone)?