New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Thanks @stevewatson301 and @Erisa for the follow-up explanation.
Another question, regarding SMTP:
If I use a separate email service (like MXroute), email headers might only reveal their server's IP?
To clarify - I don't think using self-signed certs is as secure. If nothing else, any problems with CA certs verification and/or renewal lets me know there could be another problem with my setup. Just, I can imagine scenarios where revealing the hosting server IP could still be a bad idea, regardless of the above-explained MITM scenario.
AFAIK MXRoute does not reveal the origin IP this way, however IMO your origin should firewall off non-Cloudflare IPs for the HTTPS port.
IMO that's a solved problem though. You can use caddy with the dns.cloudflare plugin enabled, and provide your Cloudflare API key to caddy so that it can fetch and renew certs at the right cadence.
If you are using nginx or apache, you can also use certbot with the DNS-01 challenge like I mentioned above, but there are too many moving components in that setup and honestly it's just that much easier to migrate from nginx/apache to caddy.
All clear - thank you very much.
I mean if your objection is only to cloudflare...
DNS: Google Domains DNS (anycast with Google's network) or DigitalOcean DNS.
CDN: CloudFront (first 1TB is free, very expensive afterward though)
Incoming mail: Selfhosted or ImprovMX
Not sure why you're picking on a single company though...
Having had the distinct joy of defending this site from attacks for the last few years I've got to say that Cloudflare's application layer protections and tools are excellent and have gotten noticeably better the past year.
It's quite clear from this discussions in this thread, not everyone understands how Cloudflare operates and what you can do to safeguard your connections. But ultimately, it does come down to if you trust Cloudflare or not.
With Cloudflare, you can use Advanced Certificate Manager (ACM) to setup your own Custom Origin Trust Store with your own created CA cert and signed origin SSL certs https://developers.cloudflare.com/ssl/origin-configuration/custom-origin-trust-store/
from inline help for Custom Origin Trust Store dashboard
And if you don't want to pay $10/month for Advance Certificate Management (ACM), you can also use Authenticated Origin Pulls but instead of using CF CA provided Origin Pull client TLS certificate, you can setup your own custom CA signed client TLS certs and upload those to Cloudflare via API for custom client TLS authenticated original pull certificate setups https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates
In either above cases, if you setup your own CA and signed client/server TLS certs and authentication to your origin, only legit connections to your origin server would be allowed. Though you'd be responsible for safeguarding your own CA private key etc.
How dare you say that?!!! Those dog and car pics and my-sisters-coiffeur sites must be globally reachable within max 30 ms (in part because they are made creepily bad and are bloated too)!!!
I think most people choose to stay with cloudflare because they're on the Free plan.
Other companies don't offer the Free plan.
There are a few Cloudfare equivalents on the market. You may verify the evaluations and dependability before attempting to use them. Here are your options.
If you self host. Time to live and max connections per ip were some of the settings I had to mess with in litespeed. Cloudflare does offer SSL that makes your site looks more sexy and secure. And I would configure iptables for a good firewall. Change the port number to your ssh and any other outbound port connections to something higher than 1000. The firewall should drop all ping request and other packets only responding to that port 80 443 etc.
My site is hosted on a Litespeed server so moved away from Cloudflare and using Quic.cloud CDN. However, I use Cloudflare for DNS hosting.
Its rare to get the latency or bandwidth anywhere. Amazon, Cloudflare and a handful others have multiple 400G ports everywhere. Do you need it? If you dont let your website load hundreds of assets no one cares about 100ms vs 100x1ms on cloudflare.
Everyone hugging the same trees is a terrible mistake that only leads to trouble in the end. It doesnt take much effort to configure some (lowend) option, safe some money on the way and help decentralize
Some providers here even offer fancy things like Anycast