Stop Using Cloudflare
1. It is a GIANT man in the middle - MITM.
2. Their DDOS protection is not that good.
3. You are contributing to a centralized Internet.
@selea can you recommend an alternative? Preferably something from this list https://doc.traefik.io/traefik/https/acme/#providers so I might actally have the energy to switch.
@selea No but yes. Letsencryp has dns challenges and at the moment traefik is dealing with those using cloudflares api. I think. I really don't actually know nor do I want to at the moment.
As I understand it in onder for me to get away from cloudflare dns service is exactly what I need in this situation.
@JonossaSeuraava@layer8 I think @selea meant CF in their role as CDN, not as DNS provider. That's two different parts of the puzzle. Then there's also CF the DNS resolver, which is yet another piece.
IMO, the CDN and DNS resolver are the problematic bits, since that's centralizing things into a black box for users.
@selea I can't use some "important" sites, because strict privacy settings within Firefox blocks cloudflare.
Also some sites only work partial, because Google APIs are also blocked.
We need to get back to a decentralised web! Also people keeping up with central CDNs: Firefox now also added separated caches. They just don't work the way people still think.
Not really actually, using a CDN to deliver static content is way different to sending credentials via a third party
@selea I'm having enough trouble trying to convince people that Amazon and Google might not have their best interests at heart. I don't think I'll ever get around to red-pilling people on CloudFlare, unfortunately 😩
oh, it's in the docs: https://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ
I didn't care too much for cloudflare until I read this.
That's kind of huge though. I can't wrap my head around why is this the only architecture possible, but if someone would pitch me the idea of MITMing their users, I'd say that it will never fly.
Intuitively, it's just not a valid SaaS model. I'd say that they're better off selling their classifiers for active use inn their customers' load balancers.
But sadly the world is the way it is. :D
@jonn " can't wrap my head around why is this the only architecture possible"
Because what CF does it:
- receive request from client.
- decrypt request.
- checks whether it's a "malicious one" or not.
- forwards request to origin.
Due to the protocol works, they *need* to decrypt the traffic to check it's content and check whether it's legit traffic or malicious traffic.
@finlaydag33k well, sure, but they could just as well sell NGINX modules that do it the other way around with the same latency, together with an active queue solution for operation under DDoS conditions.
Of course, MITM'ing is easier, but I'm genuinely surprised people subscribe to this MO.
@jonn That'd also become an issue because now CloudFlare doesn't know where to forward the data to (the "host" header is also encrypted when using HTTPS).
So then, the only way would be to directly forward the traffic to the server...
Which then has to _still_ process the traffic (both legit and malicious) at which point, the entire purpose of CloudFlare would be nullified.
@finlaydag33k forwarding packets are orders of magnitude cheaper than processing and the amount of roundtrips would be the same.
The only problem really is that it's not drop-in and has upfront expense of processing packets.
@jonn Well, think of it like this:
- CF receives
- CF decrypts
- CF checks
- CF forwards
- You process request
The first 3 steps don't cost the origin any resource at all.
Now imagine running it as an Nginx module:
- You receive (either with or without forward from CF)
- You decrypt
- You send to CF
- CF checks
- CF sends results
- You check results
- You process request
Now you have a few additional steps that *do* cost you resources in order to know whether to continue.
@jonn So basically you already did some grunt work in order to know whether someone is malicious or not...
So the attacker still wastes your resources.
They need a bit _more_ in order to take you out but still can take you out the same way.
CloudFail tries to prevent this by filtering *before* forwarding so your origin can spend all of it's time processing legit requests.
@finlaydag33k but in the current arch after "- You process request" comes you forward back to CF, who relays to the client, making it exactly the same amount of roundtrips except an extra reencryption step for the server (with O(1) processing, say, "strip request body").
@jonn You forget that roundtrips isn't the issue here, it's the fact that the origin can still relatively easily be attacked.
If your origin has to do any processing on malicious requests, the purpose of cloudfail is nullified.
@selea Cloudfare is just one more example of how the internet needs to be utterly decentralised. We don't need Silicon Valley and its like. The internet should be absolutely peer-to-peer, an unmediated utility!
@iankenway I don't think going fully P2P won't be the solution either since it's difficult to do...
Think about stuff like authentication/authorization, that'd be a pain if everything was fully P2P...
@iankenway I don't know much about it... but how does it handle user authentication? how does it handle authorization (eg. only accounts with a certain role have access to certain things)?
It's probably nice for "simple" sites that don't use any of that... but for sites that do, it can likely become a mess quite quickly...
Just assumption though...
@selea it would be interesting if there was a better equivalent service. I have a BBS with a Web front end that I'm forced to use CF with to front end it to block shitty bots, and I have to have the security settings really high. For DNS I use he.net but started to look at desec.io to favour EU solutions over US conglomerates
How can you use Cloudflare without using their DNS-service?
You could just actually block all bots, or manually block the malicious ones.
@selea I have to use their DNS for the BBS domain. Manually I don't really have time for, and that's not even counting all the ones that smash the telnet ports. That's why I'm stuck with cloud flare to be harsh on Web users, it's rather good at it even though as a whole it's unsavory
What do you need?
You have Let's Encrypt, any webbserver/reverseproxy, any DNS-provider/DNS-software basically.
@selea their DDOS protection beats anything else at the price - which is conveniently $0.
I agree that their monopoly is dangerous though.
A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!