Why I Use Cloudflare For DNS, Firewall & More
I first started using Cloudflare when I was sick of being up and nights and weekends fending off scrapers and bots from a large e-commerce site. Most of the time it wasn't super malicious traffic, but just bots (and our web marketing company lol) scraping the site at busy times and slowing Magento down. And Russians.
These were my friends:
tail -f /var/log/httpd/ssl_access_log | cut -d' ' -f1 | logtop
iptables -I INPUT -s 162.158.158.88 -j DROPThen we had a proper DDOS attack and it was a real ballache to defend against, so I stuck Cloudflare between the dirty internet and our nice Magento web server, and their Web Application Firewall (WAF) was instantly awesome. Stupid traffic disappeared, and all these tools I had scraped together with scripts, .htaccess files, Apache rewrites, etc were replaced by one dashboard.
I think of Cloudflare now doing nearly everything that sits infront of the server
Domains
I now use Cloudflare to purchase domains, because they are cheaper than Namecheap, and all DNS is routed and managed through them anyway. I like having things in one place.
DNS
SSL
Cloudflare provides SSL certificates and makes it easy to enforce SSL. You can generate the private and public keys with them, save them and then push them onto the server and reference them in your server config. I have started using just NGINX, moving away from Apache, so my config looks like:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sebday.co.uk;
root /var/www/html/;
index index.html;
ssl_certificate /etc/ssl/sebday.co.uk.pem;
ssl_certificate_key /etc/ssl/sebday.co.uk.key;
location /docs/ {
proxy_pass http://localhost:8080/;
proxy_redirect off;
}
}I used to use two page rules in Cloudflare to force all traffic to www and https.
Now I just enable full (strict) in the SSL settings.
Firewall
You can set rules to lock down IP, bypass their cache, block or allow user agents etc all through their super simple dashboard.
WAF
You need a paid Cloudflare account for their WAF, but that seems fair considering all the above can be had for free (I even transferred domains to them, extending their life by a year for free)
DDOS / Flood Protection
If someone wants to scrape, flood, spam or DDOS your website Cloudflare has some serious heavyweight hardware to mitigate attacks.
https://www.cloudflare.com/en-gb/learning/ddos/ddos-mitigation/
Caching
Once you start scaling a web stack caching and site speed becomes even more important. For a $200 a month you can get their full caching services, minus some image optimisation that I think is better done on the server anyway.
Setting up the multiple layers of caching on a webstack is complex. Cloudflare makes edge caching super ease and improves site speed.
Analytics
You get excellent dashboards with traffic breakdowns:
Conclusion
Cloudflare provide some very important and useful services required to run a web server for free. Cloudfare + a cloud hosting provider is enough to get a full web stack with every feature you could need.