Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Cloudflare

Cloudflare

FliphostFliphost Member
edited May 2012 in General

Been using cloudflare for a little bit now and I must say, I like it. Making my sites run faster, security (stopped liked 20,000 threats, mostly spammers). The Stats are pretty nice was well.

image

I run a reverse proxy of nginx in front of apache, does anyone know the name of the correct nginx module to display the correct IP?

Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
Tagged:
«1

Comments

  • SpencerSpencer Member

    Cloudflare stats are really wrong btw. They are VERY skewed in my experience.

    Thanked by 2Infinity NanoG6
  • @PytoHost How so?

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • RophRoph Member

    For the time that I used cloudflare I had the same experience. Their stats were so wrong. Much, much lower than what google analytics counted. Google analytics appears with almost identical results to my own Piwik stats tracking, so I'm happy with Google.

    Cloudflare also has a tendency to lie about your site / server being down when they demonstrably aren't. This means your visitors see a cloudflare page instead of your site, incorrectly stating that it's unavailable. At least once a week they would do this, hence I ditched them.

    It's happened before, you may see a cloudflare fanboy / apologist coming here and saying it's my problem, but I doubt ServInt has connectivity issues. They're not some tiny host leasing a single unstable uplink from Cogent or something.

    Cloudflare is nice in theory, but I don't trust them.

    Thanked by 1NanoG6
  • @Roph said: Cloudflare also has a tendency to lie about your site / server being down when they demonstrably aren't. This means your visitors see a cloudflare page instead of your site, incorrectly stating that it's unavailable. At least once a week they would do this, hence I ditched them.

    And the reasoning behind their motivation for doing this is what exactly?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • @Roph So far I haven't had this problem of any of cloudflare saying any of my sites are down

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • RophRoph Member

    Implying I know? Or care? Or that it's deliberate?

    Regardless, it's incorrect.

  • joepie91joepie91 Member
    edited May 2012

    @Roph said: Implying I know? Or care? Or that it's deliberate?

    Regardless, it's incorrect.

    I have had the issue once myself, and it was because DoS Deflate tripped out over the Cloudflare IPs.

    So far, any issues with Cloudflare seem to be on the side of the server, not that of CF, at least as far as I've seen. "Cloudflare has a tendency to lie about [...]" implies that you expect them to do it deliberately; after all, how can you know they are actually lieing and not just having an issue of sorts? Hell, you don't even know whether you may have the issue.

    EDIT: Last time I asked someone 'have you contacted support', there seemed to be no response. So again, have you contacted support about it?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

    Thanked by 1flam316
  • JarJar Member

    I dislike cloudflare overall. For one thing, I don't like the idea that a visitor could hit my page and not be loading it from a datacenter which I am able to contact in the event of an issue. Another, I have only experienced increased load times for websites that I have tested. Granted, not significant increases, but increases nonetheless. Obviously this could vary based on location, but that brings me back to the loss of control over the user experience.

  • JTRJTR Member

    Cloudflare is a nice idea, but in practice, I've seen nothing in return but increased load times and more downtime (those damn error pages are everywhere).

    Thanked by 1NanoG6
  • I saw the same error all the time while working at HostGator. And no, HostGator's server was not down, blocking CF, etc.

    Looking for support, sysadmin, etc. work: PM
    Working on VPSM
    Thanked by 1NanoG6
  • AldryicAldryic Member

    @joepie91 said: And the reasoning behind their motivation for doing this is what exactly?

    Self-advertisement. Might be worth fine-combing through their TOS to see if its something mentioned.

    Thanked by 1Infinity
  • sonicsonic Member

    You're right!!!

    @Roph said: For the time that I used cloudflare I had the same experience. Their stats were so wrong. Much, much lower than what google analytics counted. Google analytics appears with almost identical results to my own Piwik stats tracking, so I'm happy with Google.

    Cloudflare also has a tendency to lie about your site / server being down when they demonstrably aren't. This means your visitors see a cloudflare page instead of your site, incorrectly stating that it's unavailable. At least once a week they would do this, hence I ditched them.

    It's happened before, you may see a cloudflare fanboy / apologist coming here and saying it's my problem, but I doubt ServInt has connectivity issues. They're not some tiny host leasing a single unstable uplink from Cogent or something.

    Cloudflare is nice in theory, but I don't trust them.

  • @Aldyric I just took a look though it and couldn't find anything too bad, though I guess I could have missed something. Section 7 might be the most controversial but it seems to just cover what their service does. https://www.cloudflare.com/terms

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • beardbeard Member

    CF is crap, skiddies think they can hide their warez sites behind it

  • @sonic said: Cloudflare also has a tendency to lie about your site / server being down when they demonstrably aren't. This means your visitors see a cloudflare page instead of your site, incorrectly stating that it's unavailable. At least once a week they would do this, hence I ditched them.

    It's happened before, you may see a cloudflare fanboy / apologist coming here and saying it's my problem, but I doubt ServInt has connectivity issues. They're not some tiny host leasing a single unstable uplink from Cogent or something.

    Cloudflare is nice in theory, but I don't trust them.

    I see it happen all the time if a requested page takes longer than $x (30 seconds?) to load.

  • vmhostsvmhosts Member

    We use them and haven’t had any issues so far (that I am aware of) We have a few larger images on our home page and was keen to try and give the best possible performance. Also our website and customer portals are hosted with a different provider (for connectivity purposes in the event of any outages) so we have less visibility over the available bandwidth.

    Page load speeds seem to be much faster and if it stops a few fraudulent orders each month it’s worth the money

  • Seems to me, Cloudflare is hit and miss depending on different people's situations

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • flam316flam316 Member

    CloudFlare has halved my load time on all of my sites. I have gotten only 2 spam comments in the year + that I've been using them. Most (almost all) CloudFlare users have had the around the same positive experience that I've had. As you know, most people who write reviews will write bad reviews, and for a service that controls almost 500,000 sites, it shows. Pretty good for a free service, if you ask me.

    Check out my blog at rubiverse.net
  • JarJar Member

    Makes me wonder what you could do to your load times by choosing a better location and/or using a better server. Not to tear down your experience, just makes me wonder :)

    Thanked by 1nabo
  • AldryicAldryic Member

    @flam316 said: I have gotten only 2 spam comments in the year + that I've been using them.

    ...what would CloudFlare possibly have to do with spam comments? Did you by chance enable Askimet at the same time, and not notice which one did the work?

  • nabonabo Member

    @Aldryic said: what would CloudFlare possibly have to do with spam comments?

    Maybe instead of his site the Cloudflare site has been shown. So nobody was able to make comments at all ;->

    "Kids, you tried your best and failed miserably. The lesson learned is: never try."

    Thanked by 2Aldryic NanoG6
  • @Aldryic said: ...what would CloudFlare possibly have to do with spam comments? Did you by chance enable Askimet at the same time, and not notice which one did the work?

    They have some JS "are you a real browser" complete-bullshit-crap-horrible-omg-please-don't apparently.

    Looking for support, sysadmin, etc. work: PM
    Working on VPSM
  • @Aldryic I forget exactly what spam database they use but they they IP addresses from spammers a such. As well as their Wordpress plugin which reports spam comments back to them and their form and Ip's. At least, that's what I read.

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • flam316flam316 Member

    @jarland said: Makes me wonder what you could do to your load times by choosing a better location and/or using a better server. Not to tear down your experience, just makes me wonder :)

    No matter where I place my website, without a CDN it is still only being loaded from one location. There will still be people loading my site from the other end of the world, and latency will be a problem. Obviously, putting a CDN in front of with a crap origin server with a crap connection won't do much good because dynamic content/html is usually loaded from origin.

    In other words, the servers I host on are fast hardware and network wise, but nothing can compare to a CDN like CloudFlare or MaxCDN or EdgeCast for sites with any sort of international presence.

    @Aldryic said: ...what would CloudFlare possibly have to do with spam comments?

    CloudFlare blocks users/bots based on IP history. If the IP has a history of spam or attacks originating from it, than it will be blocked by CloudFlare. CloudFlare blocks mostly all spam comments and threats, which is what the service is intended to do.

    Did you by chance enable Askimet at the same time, and not notice which one did the work?

    I have Askimet enabled also, but it hasn't been doing much work because almost no (2) spam comments ever get to it.

    @DimeCadmium said: They have some JS "are you a real browser" complete-bullshit-crap-horrible-omg-please-don't apparently.

    They block based on IPs, but they also offer a browser detection feature. It does have a warning that it is not accurate 100% of the time and to turn it off if you are worried about visitors getting blocked.

    Check out my blog at rubiverse.net
  • DimeCadmiumDimeCadmium Member
    edited May 2012

    @flam316 said: They block based on IPs, but they also offer a browser detection feature. It does have a warning that it is not accurate 100% of the time and to turn it off if you are worried about visitors getting blocked.

    I wasn't sure if they did IP blocks, I just knew about the detection having seen it in action on a certain site recently. ;)

    I really dislike it... took a good 5 or 10 seconds to get past it, by which time most visitors would be gone. (This is on a fairly high-end gaming laptop, mind you, and a 20/2Mbps pipe)

    Looking for support, sysadmin, etc. work: PM
    Working on VPSM
  • lbftlbft Member

    @Aldryic said: ...what would CloudFlare possibly have to do with spam comments?

    CloudFlare blocks/challeneges IPs that have spam reports. They gather it from both Project Honeypot and reports from their customers (they even make a plugin for Wordpress that sends spam reports to them). Their original pitch was for security - the CDN/speedup stuff was them trying to counteract the slowdown of proxying every request.

    A low-traffic site of mine got compromised (most likely through the ancient custom theme on the blog) and I reinstalled Wordpress from scratch. I forgot to set up the anti-spam stuff for a couple of weeks and I didn't notice because I was only getting a couple of spam comments a week - CloudFlare was stopping the rest.

    It got compromised in the first place through CloudFlare though, so it's far from perfect.

    @DimeCadmium said: I wasn't sure if they did IP blocks, I just knew about the detection having seen it in action on a certain site recently. ;)

    To be fair, that site was dodgy enough that it probably triggered every automated system they have :P They also explicitly say that it's a bad idea to route domains that mainly serve files through CF, so maybe they throw up additional roadblocks to discourage it.

    The normal challenge is a page with a reCaptcha (which really sucks, but it's better than outright blocking).

  • @lbft said: To be fair, that site was dodgy enough that it probably triggered every automated system they have :P They also explicitly say that it's a bad idea to route domains that mainly serve files through CF, so maybe they throw up additional roadblocks to discourage it.

    ...this is true. :P

    IMO, it still would've been nice if I could've grabbed it from a server... instead of having to download however much data on my home connection... (and no, no nefarious purposes here, I just wanted to see what of me was in it.)

    Looking for support, sysadmin, etc. work: PM
    Working on VPSM
    Thanked by 1Jar
  • flam316flam316 Member

    @DimeCadmium said: I really dislike it... took a good 5 or 10 seconds to get past it, by which time most visitors would be gone. (This is on a fairly high-end gaming laptop, mind you, and a 20/2Mbps pipe)

    Why does the speed of your connection and your laptop matter in this situation? Captchas don't care what kind of hardware you have or what network you have.

    @lbft said: It got compromised in the first place through CloudFlare though, so it's far from perfect.

    It's not a full solution, but your site could have been hacked sooner if it weren't for CloudFlare. CloudFlare isn't a solution for insecure code.

    Check out my blog at rubiverse.net
  • DimeCadmiumDimeCadmium Member
    edited May 2012

    @flam316 said: Why does the speed of your connection and your laptop matter in this situation? Captchas don't care what kind of hardware you have or what network you have.

    It wasn't a captcha, is was some JS redirect or something along those lines. Fully automated, no intervention on my part.

    Looking for support, sysadmin, etc. work: PM
    Working on VPSM
  • lbftlbft Member

    @flam316 said: Why does the speed of your connection and your laptop matter in this situation? Captchas don't care what kind of hardware you have or what network you have.

    From a quick Google it looks like it was Cloudflare's "I'm under attack" mode, where it does some sort of JS proof-of-work thing before letting you in.

    Thanked by 1flam316
  • flam316flam316 Member

    @lbft said: From a quick Google it looks like it was Cloudflare's "I'm under attack" mode, where it does some sort of JS proof-of-work thing before letting you in.

    Yep, and that 5 seconds delay is intentional. That's supposed to happen.

    Check out my blog at rubiverse.net
  • @flam316 said: Yep, and that 5 seconds delay is intentional. That's supposed to happen.

    Meh, it's not very smart if you ask me... like I said, most visitors will have said "screw this" and left long before those 5 seconds are up unless they've got an overwhelmingly good reason to wait.

    Looking for support, sysadmin, etc. work: PM
    Working on VPSM
  • @beard said: CF is crap, skiddies think they can hide their warez sites behind it

    Skiddies do. Not think. They do. Look at that guy who used S'E' to get through WHMCS, he released everything through his site, hidden behind a CF front.

  • gsrdgrdghdgsrdgrdghd Member without signature

    ...and then he failed to remove the direct record which allowed people to circumvent Cloudflare. Btw Lulzsec was also hidden behind them and the protection never got removed.

  • flam316flam316 Member

    @DimeCadmium said: Meh, it's not very smart if you ask me... like I said, most visitors will have said "screw this" and left long before those 5 seconds are up unless they've got an overwhelmingly good reason to wait.

    The owner of the site turned on "Attack Mode", which means that they are experiencing a large DDoS attack and can't handle the load by themselves. If CF didn't do this, their site would be down, and downtime is not good. CF keeps their site up, but visitors might have to wait 5 seconds for it to load. It's better than not having the site up at all. Pretty smart if you ask me.

    Check out my blog at rubiverse.net
  • @flam316 I also believe its a one time load as well

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • @DimeCadmium said: I really dislike it... took a good 5 or 10 seconds to get past it, by which time most visitors would be gone. (This is on a fairly high-end gaming laptop, mind you, and a 20/2Mbps pipe)

    The proof-of-work page you saw only happens when a site is explicitly put into "I'm under attack mode". It's not standard. Normally you would just get a CAPTCHA if you happened to be on a blacklisted IP in the first place, and judging from my usage of it it almost never has false positives. The closest thing to a 'false positive' is people using TOR having to enter a CAPTCHA.

    @lbft said: It got compromised in the first place through CloudFlare though, so it's far from perfect.

    How does that work?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • JarJar Member

    No matter where I place my website, without a CDN it is still only being loaded from one location. There will still be people loading my site from the other end of the world, and latency will be a problem. Obviously, putting a CDN in front of with a crap origin server with a crap connection won't do much good because dynamic content/html is usually loaded from origin.

    Good point. I suppose I would be concerned if cloud flare cut your load time in half, not necessarily that of a visitor on the other side of the globe.

  • flam316flam316 Member

    @jarland said: Good point. I suppose I would be concerned if cloud flare cut your load time in half, not necessarily that of a visitor on the other side of the globe.

    Well, some of my sites are in KC, some are in Miami and some are in Denver. CloudFlare has a PoP in Newark (NJ), which I'm 40 or so miles away from. They also serve your content from literally thousands of SSDs, which I don't have on any of the servers my sites are on. Also, I use their minify and asychronous JS loader (RocketLoader) features, so yes, it still loads about twice as fast for me even though my origin servers are in the US.

    Check out my blog at rubiverse.net
  • lbftlbft Member
    edited May 2012

    @joepie91 said: How does that work?

    The site was behind Cloudflare, but whatever requests were used to compromise it got through. It was (as far as I could figure out/guess) a bog standard exploit used to inject spam links in every .php file it could find. Nothing special but a pain in the backside to clean up.

    Ultimately it was my fault for not looking after it well enough but it would've been nice if CF had caught the initial exploit. Still, I'll be leaving it behind CF anyway because spam is enough of an issue and they're doing a good job of catching that.

  • @lbft said: The site was behind Cloudflare, but whatever requests were used to compromise it got through. It was (as far as I could figure out/guess) a bog standard exploit used to inject spam links in every .php file it could find. Nothing special but a pain in the backside to clean up.

    Ultimately it was my fault for not looking after it well enough but it would've been nice if CF had caught the initial exploit. Still, I'll be leaving it behind CF anyway because spam is enough of an issue.

    Were you using the free plan?

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • The butthurt in this thread is amazing. Good, good, let it spread throughout you more :)

    If it really was crap, sites as large as 4chan wouldn't have adopted it, silly kids.

    -- BOFH

    Thanked by 1bijan588
  • @Wintereise said: The butthurt in this thread is amazing. Good, good, let it spread throughout you more :)

    If it really was crap, sites as large as 4chan wouldn't have adopted it, silly kids.

    Then why was 4chan down for weeks at a time with CF

  • And if that really was true, they'd not be still using it ヽ( >∀<)ノ AHAHA AHAHA AHAHAHAHA

    -- BOFH

  • JarJar Member
    edited May 2012

    I'm not sure "butthurt" is the right word to describe comparing experiences on an often misused and misunderstood CDN, but ok. I see a lot of people thinking it'll speed up their website, locally, for no real reason. It's only of benefit if it benefits you, not something to use in all cases as some like to think.

  • As for the stats which was commented earlier in this thread, Cloudflare just posted a new entry on their blog relating to page views: http://blog.cloudflare.com/update-more-page-view-counting-refinement

    Offering The Best In VPS, Dedicated and Shared Hosting: Fliphost.net
  • lbftlbft Member

    @joepie91 said: Were you using the free plan?

    Yeah, so no advanced security/WAF, and I probably didn't even have the security settings on High (I incorrectly assumed mod_security on the server + free CloudFlare + up-to-date Wordpress was good enough to keep the crap at bay, but I forgot about the theme...)

    Still, the compromise likely came from a compromised server/botnet - the sort of thing you'd hope would be given a challenge page whether or not the advanced stuff picked up on the specific attack.

  • @lbft said: Yeah, so no advanced security/WAF, and I probably didn't even have the security settings on High (I incorrectly assumed mod_security on the server + free CloudFlare + up-to-date Wordpress was good enough to keep the crap at bay, but I forgot about the theme...)

    Then I can't really see how Cloudflare had anything to do with it, and how it makes them 'far from perfect'... if you assume they provide a feature that is clearly said to not be provided, I think the 'fault' is not with Cloudflare.

    @lbft said: Still, the compromise likely came from a compromised server/botnet - the sort of thing you'd hope would be given a challenge page whether or not the advanced stuff picked up on the specific attack.

    I doubt it came from a botnet. Typically servers are compromised from a shell on a hacked legitimate server, and these shells are not really used for any other things, so it's unlikely they are on any kind of blacklist until the moment it's already too late. I don't think you can expect anything like Cloudflare, Project Honeypot, Drone blacklists, etc, to block these IPs.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • lbftlbft Member

    @joepie91 said: Then I can't really see how Cloudflare had anything to do with it, and how it makes them 'far from perfect'... if you assume they provide a feature that is clearly said to not be provided, I think the 'fault' is not with Cloudflare.

    They quite clearly advertise security as a feature, including:

    Browser integrity Automatically performs a browser integrity check for all requests to your website by evaluating the HTTP headers for threat signatures. If a threat signature is found, the request will be denied.

    I don't think I was being unreasonable in my assumption that it would be likely to block what was, as best I could determine a month later without any logs, a two-year-old common Wordpress theme exploit. That it didn't suggests that, at the very least, the free service that pretty much every LET reader is going to go for is not as effective as the marketing copy suggests it is (something that is obvious in hindsight).

    But whatever, I already said that it was ultimately my screw up, and that I'm very happy with how they've cut the amount of comment spam and other crap that hits my sites.

Sign In or Register to comment.