New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Alternative to Cloudflare
Becomeanvillain
Member
I would like an alternative to Cloudfare as a CDN, DNS, anti-DDOS service, and mail router and preferably at a cheap price.
As much I commend its technical achievements, CF has a number of problems that are difficult to ignore (https://gitea.it/you/stop_cloudflare/src/commit/af85d25774c92c3728c9b1b6107d2adc2fc51244/PEOPLE.md). As a result, I would like to know what my options are.
Comments
Even if you switch to another provider, that is another man in the middle, so i dont see the point of you linking that. So you would trust another company to sniff your data but not cloudflare?
Cloudflare can be used as a DNS, and does that great.
If you disable the other options (grey cloud instead of an orange one), there's no worries about the MiTM - it just works as a very good DNS.
Then you have to find a good CDN (if you really need one) and see about the anti-DDOS if what your hosting provides doesn't cut it.
@Ahfaiahkid I'm not suggesting that anyone else is less culpable. However, I'd rather know what's out there and make a judgement for myself. The "every provider is a MITM" argument defeats the purpose of there being an Internet. The point of this forum rests on being able to exercise reasonable discretion on who one associates with, contractually or otherwise.
Keep Cloudflare's dns, Use other provider's push cdn.
@bikegremlin @miau Any CDN or anti-DDOS service you would recommend?
I haven't used it personally, so take this with a bucket of salt:
Bunny CDN is not too expensive, and far from the worst option.
Having said that, I don't think a CDN is a must for most websites (more hype than real difference).
For anti-DDOS - no idea, sorry.
OVH for legit DDOS protection.
VPS or Dedicated server.
stop_cloudflareHas stophaus been released from jail?
CDNs are overrated. Get a VPS/dedi from a DDoS-protected provider, and self-host the rest.
Well, maybe:
I used Sucuri before GoDaddy bought them. It was pretty good and their DDoS Protection was better than what Cloudflare Free and Pro offered. I had Cloudflare Business which was good, but in the long run it was too expensive.
For CDN usage, Akamai.
Stackpath is good option.
Try https://bunny.net/
I would like to know what my options are.
You have whole internet of different options where and how to achieve your goals. But nobody will do it for you for free
If eliminating middleman is one of your big objective, you will need push cdn or any cdn that doesn't use reverse proxy method. For a small site, Amazon CloudFront free tier should be enough.
Personally, I dont use 'real' cdn because my target audience is located in only a single region. For this I use Azure Blob Storage to deliver static contents.
CDN: you don't need one
DNS: just use your domain provider's. In my experience Cloudflare DNS was actually ridiculously slow compared to Namecheap.
Anti-DDoS: you don't need one / just use your VPS provider's / https://ddos-guard.net/
Mail router: mxroute
Take a look at what all the alt-right and neo-nazi websites use. It's usually a good indication.
does anyone know what or how many locations CF runs dns on, or would it be all of them?
All of them, all the time. All ~250 cities.
I could not find much alternatives to cloudflare with similar features.
just use cloudflare dns, and minimum/low security setting, and disable full page caching and your site will run faster with less bugs as mentioned in OP's linked post.
It seems they've DNS resolver in max locations or PoPs which they call as tier-1 centers or the major caching locations. It might be they've now serving dns from each of their 250 locations
Been messing with some anycast projects with the goal to deploy https://incogdns.com and https://incogcdn.com
Still just testing stuff for now, but many people want simple dns and simple cdn storage.
Cloudflare is secure as long as you switch the SSL type from Flexible to Full (Strict). You must install their origin cert on your server but that negates most these negative comments. Some people haven't figured that out yet.
We need definitely an alternative to Cloudflare.
This is an alternative:
https://fluxcdn.com/
They accept PayPal and Crypto.
Hi, I want to preface this message by saying that I'm an extremely heavy Cloudflare user, but I respect other people's varying views on the subject.
Changing the SSL to Full (Strict) is always a good idea because it prevents parties other than you and Cloudflare from seeing the traffic. This is great and I think is why you sent that message.
However when I look through the link the OP gave, their concern was more that Cloudflare has access to the data to begin with, which they still will if the SSL is set to Full (Strict).
For any proxied record, SSL termination will happen at Cloudflare, which makes sense to anyone who understands how a CDN is supposed to work, but some people dislike this for various privacy and security concerns related to having to trust Cloudflare with their production traffic.
Just to add:
Even the "Full" setting (so not "Full-strict") will make the traffic be encrypted.
The difference is that the Full setting will make Cloudflare happy with using your self-signed certificate, instead of a certificate issued by a trusted CA.
Now, we can debate for days whether any CA is to be trusted and whether a self-signed cert, especially if renewed regularly, is more, or less secure. But that's a different topic IMO.
Right, but someone could still MITM the connection between Cloudflare and the origin by presenting any self-signed certificate, which Cloudflare would happily accept in the (non-strict) Full mode.
Further, these days it's easy to get a certificate of the same domain name behind Cloudflare through the DNS-01 challenge. If you use caddy, it's just two lines of configuration.
As has been noted above, the issue here is precisely the fact that the certificate is self-signed. For sure it is better than leaving your traffic bare and naked to the web, but an ISP can still theoertically MITM your connection by replacing it with their own self-signed cert and not only will Cloudflare be fine with that, it also won't tell you.
The Origin Certs that Cloudflare provides for you are the answer if you potentially don't trust the CAs, since the origin cert is trusted by Cloudflare and Cloudflare is who you are trusting with all your traffic in this scenario.
SSL/TLS does not work without proper certificate trust. A self-signed certificate is never secure unless the other end has been specifically told to trust your personal CA and no others.
One thing is not clear:
In the settings, I tell Cloudflare which IP to look for.
Wouldn't such MITM attack require the attacker to fake the IP as well, and would that be possible (especially if they don't know which IP that is)?
They wouldn't fake the IP directly, no.
Connections to IPs normally go through multiple ISPs to meet their destination (Which is why
traceroute/mtrexist) - any one of these ISPs (or someone persuading them) are the potential launch targets for a MITM attack like this. Not every ISP holds the same morals as another, and depending on your website any number of thingsFinding which IP goes to which hostname.. harder, but not impossible. Usually even HTTPS requests have plain SNI which shows the hostname they're after.
Sure, the chances are slim, but at the same time it's also an easily solveable problem so might as well have the most security rather than leave a hole for attackers.
EDIT: For a more detailed explanation see @stevewatson301 below.
Given the right set of conditions, a malicious ISP can publish a BGP announcement such that the traffic for a certain prefix is routed through them instead, and then present the certs by at the time the IP datagrams of interest are routed via said malicious ISP. Search for "BGP hijacking".
Figuring out your origin isn't that difficult either; if you have a website that sends email over SMTP, the "Received" header may expose your origin IP. Or you could look for the website's headers, titles etc. on Shodan/Censys, or look up historical DNS records through Securitytrails (or similar security products).