Cloudflare Protection on website?

I own a server, where I started to selfhost services back in early 2022. It started as a personal project, but quickly evolved, and currently I have around 75 users. I currently do not have any security, besides fail2ban on supported services and a well configured nginx reverse proxy.

Most users are from my country, but around 10 of them are international users.
I worry about people trying to DDOS my website, and international users say the speed isn’t as fast as it should be.

My website is VPN, Tor and hardened browser friendly, and I want it to keep being this way.

Cloudflare seems to be able to provide very good security and CDN for international speed, all for free.

What I worry about going Cloudflare:

  • Will they be able to intercept traffic, specially secured traffic such as passwords?
  • Can I keep being VPN, Tor and hardened browser friendly, while using Cloudflare? It seems to create captchas or outright blocking people…
  • How good is Cloudflare’s Privacy Policy?
1 Like

Incomplete answer, hopefully others will add more info:

  1. Yes, Cloudflare would generally be able to read and/or modify all traffic. HTTPS from your users’ browsers terminates at their edge server, as they need to be able to read everything in plaintext to provide their service.

  2. To a certain extent you can remain VPN and Tor friendly. There are rules you can set up in your Cloudflare settings, see for example: GitHub - allow-tor/on-cloudflare: A quick guide on allowing Tor users to visit your site that is behind Cloudflare More info can be found by searching the web.

  3. Their policy itself reads ok to me personally. Whether they are adhering to it or even allowed to adhere to it, that’s harder to say. Surely as a government, access to Cloudflare traffic would be quite interesting.

You didn’t ask for it, but if you allow, I have some other ideas:

  • You are worried about DDoS, but you didn’t have any issues with it. Maybe you don’t need any protection. How about you keep monitoring and only take measures when necessary?
  • There are alternatives to Cloudflare that are also almost free, especially if you don’t have a ton of traffic. Just as example: CDN Pricing | Affordable Pay As You Go CDN | bunny.net but this one is also already kinda big, you might want to look elsewhere.
2 Likes

That’s true, but we also have a Discord, Telegram and SimpleXChat community so users can talk and also receive updates on the services status and news.

We have been raided and spammed on both Discord and Telegram, forcing me to add a moderation bot, which I dislike due to privacy controversies. I think is only a matter of time before they try something else, targeting the server itself.

Also, the CDN would help with performance for international users, due to caching, unless I’m mistaken.

Ouch, I don’t like the sound of that… Is there any way to change this behavior?

Very good to know it’s possible to still be VPN and For friendly, and that they have a fair privacy policy.

As for the other CDNs, I live in a underdeveloped country, and my services include video streaming such as Invidious (YouTube frontend) and Jellyfin (personal streaming service) and cloud storage such as Nextcloud. Most other CDNs are per amount of data used, which will end up being a lot…

No, and 6 years ago Cloudflare leaked passwords, encryption keys, cookies, and other secret data from other customers on accident, which demonstrates the risk of putting that trust in the hands of a single entity.

Cloudflare will terminate your account if you use it to cache video streaming or cloud storage. You have to use Cloudflare Stream which is a very expensive product.

I think that the cheapest CDN that I’ve found for video content is Bunny.net’s volume network at $5/TB delivered, which is what I use for PeerTube. That could still be pretty expensive depending on how much data you deliver.

1 Like

Ouch, I don’t like the sound of that… Is there any way to change this behavior?

Think about how a CDN works on a technical level. This is not some specific behavior of Cloudflare, it’s just how the solution you’re asking for works. You want somebody else’s servers getting DDoSed instead of yours? Well then you have to make your users talk to that other person’s servers instead of yours.

Very good to know it’s possible to still be VPN and Tor friendly

As I said, “to an extent” that is possible. In the end, Cloudflare needs to protect itself and what exactly they might end up doing is not up to you, especially if you’re basically a freeloader of their services.

Also what jonah said is true, if you’re on a free Cloudflare account there might not be hard limits, but that doesn’t mean you’re just free to do how you please. They will obviously drop you if you use too many resources. Especially with a lot of video content it’s easy to get issues here. The same goes in case you actually get DDoSed a lot. They are probably happy to protect you the first time, but if it keeps happening…

Personally I think a CDN is good for fast delivery of static content. I wouldn’t use it for any dynamic parts of a website. That also solves many of the security / privacy issues. DDoS protection of the application server is something you might also solve with your hosting company, a CDN is not necessary for that.

1 Like

I don’t expect or want to cache video content, only static content such as CSS and images. In this case, am I going to get banned on Cloudflare?

Well that’s pretty bad…

Fair enough, sorry to not have realized that before.

I personally don’t use a hosting company, I have a physical server which I own and is on my home. Hence why there’s not a lot I can do about it by myself.

If you have some part of your website not behind your CDN, how does it help with DDoS attacks at all at that point? No you would not get banned for CSS and some images, but this is also most likely not the content that international users would struggle with loading. I mean I guess it could help a little bit…

Ok let me change the wording then: your server has some kind of upstream connection. There are some middleboxes / routers in-between you and potential attackers. The company that is administering these boxes could help with mitigating attacks. Whether some end-user ISP wants to do that for their non-business customers, yeah that’s another story.

3 Likes

I know from experience that this is a simple toggle. You can allow it, block it or ask them for a captcha.

2 Likes

Stopped reading at this line in the article, sorry

Summary

Supposedly Cloudflare helps to stop “distributed denial of service” DDoS attacks, which is the bullshit justification that websites owners will give

2 Likes

Hey guys, did not noticed this thread had been revived.

Well, in the past few months, I’ve added features on my website that Cloudflare Free just don’t support, such as Git cloning with SSH and a Minecraft server. Cloudflare ain’t an option anymore.

I have contacted my ISP and they said they cannot provide any protection to my network besides the ISP-provided router “firewall” (which is 15$ garbage).

I’m looking for other ways to protect my connection. I’m actively considering getting a cheap VPS and SSH tunneling my server there. Maybe there’s another option, I’m open to suggestions!

3 posts were split to a new topic: 1.1.1.1 / Cloudflare Warp

This is probably the best option for at-home hosting.