New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
OK, to confirm I understand correctly:
The fact that CF can be configured so to show TLS, but connect to the hosting server insecurely is the worry?
If I set certificates on my server and set Full (strict) crypto option, then at least my website connection is end-to-end encrypted? Even though visitors can't be certain of that?
You make the Handshake always with cloudflare, not direct with your webserver.
So you can never be 100% certain.
They may even offer less secure ciphers, which is also bad.
As I said, force TLS on your webserver and cloudflare, then you can be 100% certain that it will be encrypted.
Still Cloudflare does decrypt your traffic temporary for scanning.
@bikegremlin
I have given up on cloudflare a very long time ago, so I may be wrong on some things. The problem with cloudflare is that it slows down a well optimized website, and does not provide any form of security in my opinion. Even with full (strict) options, I believe others can still access your server directly without going through cloudflare. Cloudflare does not really hide your ip, but they do provide you with a shared SSL certificate and a shared ip. I mean, a shared certificate is probably fine in most cases, but is that really okay if you have any kind of payment processing going on in your website? And yes, you don't need dedicated ipv4 for SEO but how many sites get hosted on 1 ipv4 by cloudflare? What if there's bad websites hosted on your ip?
In any case, if you truly want to hide your ip, I suspect you may have to put a proxy in front of your webserver in which case you reveal your proxy's ip. What happens then if your proxy is ddosed? I guess your webserver gets affected as well.
Would be nice if anyone experienced with cloudflare could shed some light on this topic
Further discussing - again, based on my knowledge and understanding, so I'd really appreciate any corrections, or explanations:
Hiding IP using CF is possible if all the traffic goes through CF. That means using a separate service for mail, for one. Same goes for FTP connection.
It does add a certain lag on some occasions. But that depends on various things (again, all I'm writing is based on my testing/experience, so not claiming it IS so).
One example: a poor hosting server - that's what got me to use CF in the first place. There, the fact that images are downloaded from CFs cache did help improve things.
Also - CF Railgun. If using CF free plan (so practically no CDN for anything but images), it does speed up average page load times for visitors that aren't close to the server - with no measurable slow-downs for those that are near.
However, the main reason for my using it nowadays is the super convenient DNS. Server (and server IP) changes get propagated instantly. Super-convenient when migrating websites. I suppose using custom nameservers could solve that for me, am I right?
For payment websites, CF does sell SSL (5$ per month if memory serves me). That is an extra cost - for a website that makes money. Would LetsEncrypt do for that, if one is not using Cloudflare?
I haven't been able to measure any negative results of using the shared CF IP. How does one check? Number of visitors and Google ranking don't seem to be decreasing, but maybe they would increase further without the CF?
My conclusion so far has been that CF does more good than harm, so this discussion is educational (for me at least, perhaps it should be moved to a separate topic).
CF can help if you use a shitty shared hosting without http/2 support, or if your visitors are far from your server. This comes at a cost (even on the free plan): user privacy.
If you have a small website and want to improve page loading from far from your server at no cost, if can be an effective solution (as would using a cdn for images/static assets only, with less privacy cost as traffic to the main pages, logins etc would still be end to end encrypted). If you are a provider / handle customer private data or stuff like that, using CF will give your customers' personal info to CF (if your form is behind CF) and it will make it sound like you don't have the gear / knowledge to handle the attacks that CF is supposed to protect you from, and this sounds silly if you're selling DDOS protected IPs or stuff like that.
So the problem/concern is that CF, even with secure connection, decrypts the data once it arrives on their server, then re-encrypts it - both for the data going from visitor to the hosting server and vice-versa?
Exactly, that's the way it works. Not a bad thing performance wise (TLS negotiation is closer to your visitor, and it saves an extra DNS lookup that would otherwise be needed is you use a subdomain to host your static assets on a CDN) but encryption isn't from your user to your server anymore, but USER <--> CF <--> SERVER: CF can see/filter/log whatever they please.
OK, thanks for the explanation.
If I set up shop.mywebsite.com, and set it on Cloudflare to not use it ("gray cloud"), would that enable to keep using the CF for the mywebsite.com, while having end-to-end encryption for the sales?
Yep. You could even use a subdomain for your static assets so that even on the "gray cloud" sudomain pages you benefit from the CDN.
Smarter than I was this morning.
Thank you all for explaining this and apologies for the off-topic.
No. You won't get any of CloudFlare's benefits in terms of caching, DDOS protection and your server IP will be exposed.
I understand that. My thinking is:
I'm using hosting SMTP for e-mail, so IP is exposed any way. If that would happen to stop being the case (dedicated IP mail sending services cost aroung 50 to 100 $ per month from what I could see), then it would be worth worrying about exposing the server IP.
Then I would need to setup shop.mydomain.com on a separate hosting server, if I wanted to protect the IP of the mydomain.com from becoming visible?
Mydomain.com would get to use CF - as before, but yes, shop.mydomain.com would run "around" CF, not using any of the pros and cons it offers. If I understood it all correctly.
https://www.lowendtalk.com/discussion/157739/quick-update-about-our-outage
@bikegremlin
You're right, but at the same time you're thinking too much. If you plan to make a eshop, it is very dynamic and not very suitable for a shared hosting environment. I was once like that and thought too much about minor details instead of actually working on what mattered.
If/When your project gets bigger and requires a good vps/dedicated server, then it's time to really think through all these minor details before you migrate your site. However, any minor mistake could reveal your ip even if you are using cloudflare. But there's no real reason to hide your ip unless you intend to do illegal things. Security by obscurity works somewhat, but can sometimes be counterproductive.
A potential solution to all your worries could be to use cloudflare, pay for their private SSL certificate, and then whitelist only cloudflare ips. Then you are relatively safe.
Yes, there is, among others, a serious security problem. Example: You either given them your private key (are you really sure, you want to do that??) or you don't. If you dont and some other cert is used on the CF side, then your visitors are cooked and have no chance to know that their communication isn't trustworthy and can be seen, changed, logged, stolen, ...
Then there is also the big ugly truth that there is no free lunch. Someone has to pay for all those funny "free" services provided. Officially I guess that someone is "the rich paying large corporations" but, pardon me, I don't think that's true. From everything we know it's always the small fries who pay the price ("with free services you are the real product").
Finally it seems to me that while CF might sometimes make things faster, e.g. for the few exceptions who visit your site from the jungle at the other side of the globe, it very often actually makes it slower. After all, all those wonderful services provided by CF don't happen in zero time, nor do the additional hops/the routing through CF.
It all depends on the sensitivity of information you're sending through. Would I use them to handle payment details? Absolutely no. Will I use them for a site which doesn't even have a login form? Maybe, depends on the project.
Indeed. You are paying by data.
Certainly true, unless you pay for their Argo
scam. However, it's still a good way to mitigate a layer 7 DDOS on the cheap for a static website or a blog.Is this really necessary? Wouldn't it be viable to just use free cloudflare and whitelist only cloudflare ip ranges? Just curious if you'd know - I don't plan to use cloudflare though.
I think cloudflare does make things faster, provided either your webserver is poorly optimized, or your host is terrible.
For me personally:
I have a cycling website that is already No1 in my region (former Yugoslavia countries) and I expect it to become recognized worldwide in a few years time.
Set it up with the English (international) version on a subdomain, using a separate WordPress installation. Thought it would allow more stable performance in the long run.
This allows me to host mysite.com on a server close to home and english.mysite.com on a US based server.
Now, since I've already got visitors (something most e-shops have problems with), I think it would make sense to set up shop.mysite.com. Not planning to make it Amazon like (if I grow that big, I'd see about some sponsorship, putting my name on other shop products/bikes etc.), but expecting to earn a few dollars. Simple t-shirts and stuff. And, if I make a deal with a bike manufacturer, I thought about selling some bicycles over my website - but not in my stock, or brick and mortar shop (in a year or two).
Cloudflare's (free) DNS makes it convenient to set up websites on different servers. It also allows 1second migration - since the new IP is propagated practically instantly.
Is there another (affordable) option to point subdomain to a different server IP?
Is there a reason to not use CF only for that, skipping their server otherwise (gray cloud)?
Not planning anything illegal. Quite the opposite - and CF's advertised protection was one (though speed was primary) of the reasons for giving it a try.
This discussion has been eye-opening. I googled a bit and found this text explaining all the problems and offering some alternatives:
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
Another important aspect is giving advice to clients. Yes, there are people who know even less than I do
and I often get asked to help - knowing I have my website. E-commerce is beyond my competence level and I tell such clients to look further. I set up / maintain WordPress websites, give advice on hosting or offer my reseller account share, but would like to test with my own e-shop, then after figuring it all out be able offer that as well.
@bikegremlin
I think the simple solution is to pay for a decent vps that is ddos protected, and use cloudflare (gray cloud) to point to that vps for your eshop. Your eshop is going to have people making accounts, logging in, adding items to cart, making wishlists, reviewing, commenting and so on and so forth. It will be more dynamic, use more processes, have bigger databases, use more space (images) etc etc. than your normal blog. Don't waste your time on shared hosting if you believe you have decent traffic, and pay for a vps. You can run ecommerce on wordpress, though I do not know if that uses much more resources than other solutions or not.
P.S. A real cdn can be very affordable. For example, bunnycdn charges around $5/TB if you choose only the prominent US/EU locations. It will be faster than cloudflare.
Yes. If you really need good global content delivery then go to a decent provider and pay. Otherwise, just spend a bit more for a better VPS and be done.
And btw, no CDN makes often sh_tty configured DB and web servers or PHP scripts better. So, if you are serious about good delivery (incl. good TTP times) that's where you should concentrate on rather than hoping that some CDN - in particular a "free" one - somehow magically makes a crap site perform well for the users.
You can do this with any DNS provider.
Yes you frequently see static assets like images served from a subdomain like static.mycompany.com or images.mycompany.com.
Any free, or low budget one that is good (reliable) you could recommend?
Is there anything wrong/problematic with using Cloudflare for that purpose alone?
@smallbibi and @jsg
As for the VPS vs Shared. Again, correct me if I'm wrong:
I've moved a client's website from a (obviously overloaded and poorly managed) VPS to what seems to be a good quality shared hosting with MDDhosting. It's been running fast and stable ever since.
They use CloudLinux (as many other shared hosting providers) and allow for substantial resources at a price that looks affordable compared to a managed VPS with similar RAM, CPU, IOPS, I/O etc. I understand not being able to hog 100% of the CPU/RAM 100% of the time - but that isn't that the case with most VPS-s as well?
My thinking is: as long as the provider is overselling and not overloading, I'm good. VPS would surely offer more customization and separation from other users, but I'm not 100% convinced it would provide a better performance. At least when comparing a good quality shared hosting vs similarly priced managed VPS. Am I wrong?
Currently my websites are far from reaching allotted resource limits of the shared hosting. To the best of my knowledge they have been decently optimized. CPU gets to about 20% (one vCPU core of a shared hosting), hardly ever going over 40%, with very rare peaks to 100% (when updating posts, sorting categories etc), while other resources are below 10% 99% of the time.
So my estimate is I'm still very far from needing anything more powerful.
If the shop turns out differently, I'd definitely be looking for advice on "more powerful" hosting. But apart from performance, is there a reason a shop must be on a VPS, if using a reputable/reliable shared (reseller) hosting provider?
Unmanaged VPS is not the best option for me now. I'm not yet interested into setting up, patching and monitoring a VPS. All my knowledge and experience is with Windows servers, installed Linux only on a personal computer to try it out.
For shared/reseller: Veerotech, MDDhosting and - if it remains as good as it's been for now - HostMantis come to mind. Tried all three, couldn't complain.
With CDN, like with resources, I'm not sure I need one for now. Websites load fast. Having the "native language" website version hosted on a server near home did provide much better load times, but the international version gets most visits from America and UK (about 90%), so I guess one server, US east coast would work fine. Apart from China, Russia and Australia, page load times are below 3 s on average.
I'm not expecting Cloudflare to fix a poorly performing server, nor a poorly optimized website (did the homework to the best of my ability, both with optimization/caching and with finding a better quality hosting). But I did start using it as a free way to get some extra performance, not aware of any downsides (apart from another proxy in between that can complicate things and make troubleshooting more complex, but did manage to make it work relatively quickly/easily - it is quite idiot friendly).
That's a totally different issue. Probably the major point in shared hosting vs. VPS is that a VPS gives you way more options and full control; on the other hand one of course must know ones way, so for unexperienced users shared hosting might be the better option. But again, that's little to do with what we discussed here.
Re your last paragraph (which is on topic): I doubt that CF makes things faster, at least in the vast majority of cases. For one, looking at it realistically the large majority of sites we discuss here (low end VPS and dedi) simply don't have the global audience that would necessitate good access times/TTP CF (is assumed to or) does provide.
Plus there's the questkion of CF can actually really do for your web site - and what's the (not necessarily $) cost.
The overall performance/experience is basically defined by two elements, (a) the sites performance as such (the server and software) and (b) the "travel times". Regarding (b) one must consider the fact that CF pretty much always basically comes down to a detour. Another factor often not seen is that your server is on a poor network then the connection to CF will be poor, too. Plus, neither the added travel through CF nor their processing happen in 0 time.
And indeed I have seen quite some cases where CF actually slowed down a site (seen from the user), in more than a few exceptional cases even significantly, not even speaking of the immensly high cost of CF's security theater (e.g. "show that you are not a robot" games).
Yes, there are cases where a CDN can and does improve performance but those are not really relevant with "$7 max!" VPS low end servers. If you really have a global audience and it's really important to provide a performant experience, e.g. for a large e-commerce or service site, then the most relevant factor will not be CF but rather to have a good server on a good network along with well configured services. Adding a CDN is only one and only a secondary additional factor - and then I'd use a serious CDN provider and not a jack of all trades behemoth like CF.
Another often overlooked performance factor is something quite different, the DNS. Because that very often is the one factor that really defines the user experience. More often than not poor DNS is the culprit of "oh that web site is so slow".
Btw, there are some quite good alternatives here at LET who IMO will almost always deliver a better service than CF, in part because they do one thing and do that properly.
I see this quite a bit outside strictly major US/EU location. Especially if on anything lower than business plan - your expensive australian/hong kong origin server with local traffic now being rerouted via los angeles or something..
if your static jpg's are causing your webserver to fall over and caching them fixes this.. this is something you should fix and not try to re-tape together
@hzr
Yes. That.
Looking at Google Analytics stats: Cloudflare with Railgun enabled does result in better average page load times. If that is a relevant way of testing "real user experience".
If that is the case, is there a reason not to use it for a non-ecommerce website?
Is CF not a good option for DNS alone?
Could you recommend a good (preferably budget if possible) alternative?
If the backend is in AU/HK/JP/CN/SG or the like CF might be a really bad idea, but if it's in US/EU it won't hurt much. At worse it will add an extra hop, and at best (if your static files are is cached on a CF edge node closer to your user) the site will load faster. Again this does have a cost (MITM).
Full page caching + decent config (and an host with a good network!) is more important than a CDN, be it CF or a paid alternative. And indeed, if you don't have enough global traffic a CDN will be useless.
@bikegremlin your setup seems great for your needs, if you want you can add CF (or another CDN) for your english/global website (static files? wholes pages? your choice... you can even use "cache everything" to serve your pages from the edge - probably not needed in your case, and more complicated to setup) but it's probably not needed for the local one as it's already hosted close to your audience. Even for the global one, on the US east coast, you should be pretty good for most visitors.
VPS vs shared: If you know what software you want and how you want it configured a VPS will give you more flexibility and more performance for the buck (php-fpm setup the way you want, nginx serving pre-gzipped cached pages...) for a managed setup, if you don't know what you want you're probably as well on a decent shared hosting.
As your backend for the global version is in the US, my opinion is that it wouldn't hurt performance wise and could be better for some visitors far away (IN, AU for example... even if it won't be perfect, which you obviously don't expect for the price). As always do your own benchmarks and see for yourself. Gtmetrix (you need an account to test from their various locations) is a good start.
A good reason would be that you dislike CF or the privacy issue we mentioned earlier. If you don't care you can use it.
It seems to work pretty well and to offer really fast results in most of the world. I'd like to ear of good alternatives as well. ClouDNS seems nice, but I didn't try them yet.
DNS discussion is always interesting, so lets say you have a record that has a TTL of 60 minutes, do you really need a DNS server with less then 20ms response?
I doubt it, even one with 120ms or 200ms will do it.