1. 23
  1.  

  2. 40

    I work for Cloudflare as a developer. We have sales people who get in touch with users who should be upgrading, but this is generally done with million-dollar enterprises, not $20 blogs. Breaking sites with no explanation and pissing users off is not our upsell strategy.

    I think in this case support was right — bot management has misfired. It’s a spam filter for traffic, so mistakes can happen. They have no reason to lie to you. If they wanted you to buy a paid plan, they’d say so.

    1. 19

      OP here. This article generated some attention and traffic. The claims contained in it are incorrect. After another contact with CF support, it turned out that the Bot Fight Mode behaves differently for Free and PRO plans. That’s what caused the instant improvement after upgrading. Another way to resolve the issues I was experiencing would have been to disable the bot fight mode altogether or add a custom page rule disabling it. My website never experienced any traffic throttling. I’ve decided to remove the article, to stop spreading the misinformation about CF services.

      1. 4

        Thanks for following up and being transparent.

      2. 15

        There’s no such thing as a free lunch!

        Anyway, what’s the purpose of Cloudflare anyway? Rent a server in a good datacenter and pay for a DDoS-plan if you’re so inclined. Too many websites use Cloudflare and give it too much power over what content can be seen on the internet. Using Tor? Blocked. Coming from an IP we don’t like? Blocked. Javascript disabled? Sorry, but you really need to fill out this Captcha.

        On top of that, it’s one giant MITM and I am seriously shocked this hasn’t been discussed much more intensely. It would be trivial (if it hasn’t happened already or was the whole purpose of this shebang) for a five-eye-agency to wiretap it.

        The NSA et. al. don’t like that more and more traffic is being encrypted. It woule be a great tactic of them to spread mindshare about Cloudflare about it being almost essential and at least “good to have” for every pet-project. “Everybody loves free DDoS-protection, and Google has it too!”

        1. 19

          Anyway, what’s the purpose of Cloudflare anyway?

          The purpose is that they’re a CDN

          Rent a server in a good datacenter and pay for a DDoS-plan if you’re so inclined.

          This doesn’t replicate a CDN

          On top of that, it’s one giant MITM and I am seriously shocked this hasn’t been discussed much more intensely. It would be trivial (if it hasn’t happened already or was the whole purpose of this shebang) for a five-eye-agency to wiretap it.

          I don’t know about you, but the threat model for my personal website (or indeed a professional website) does not include defending against the intelligence services of my own government (“Five Eyes”). That is a nihilistic security scenario and not one I can really take seriously.

          For my money, I think the author of TFA has (wildly) unrealistic expectations of a free service. I’m only sorry that Cloudflare have to put up with free tier customers loudly complaining that they had a problem and needed to make at least a notional contribution in order to get it resolved.

          1. 9

            Sure, it doesn’t have to fit your threat model but by using Cloudflare you’re actively enabling the centralization of the web.

            1. 10

              In my defense I must say that I am merely passively enabling The Centralisation of The Web, at most, as I have formed no opinion of it and am taking no special action either to accelerate it or reverse it, whatever it is.

              1. 3

                What’s a good, existing, decentralized solution to DDoS protection?

                1. 1

                  Not necessary good, but very much existing and decentralized, is IPFS. Comprises quite a bit more of the stack than your standard CDN; nevertheless, it has many of the same benefits, at least as far as I understand it. There’s even a sort of IPFS dashboard (it’s FOSS!) that abstracts over most of the lower-level steps in the process.

                  If you are at all dismayed that the current answer to your question is “nothing”, then IPFS is definitely one project to keep an eye on.

                  1. 2

                    Ironically, one of the first results when googling about how to set up IPFS is hosted on… Cloudflare:

                    https://developers.cloudflare.com/distributed-web/ipfs-gateway

            2. 18

              Cloudflare’s S1 filing explains how it makes money from free users. Traffic from free users gives Cloudflare scale needed to negotiate better peering deals, and more cached sites save ISPs more money (ISPs prefer to get these free sites from a local Cloudflare pop, instead of across the world from aws-us-east-1).

              1. 7

                I’m digging for the blog post that references this, but Cloudflare in a past RCA has said that their free tier is, essentially, the canary for their deployments: changes land there first because it is better to break someone who isn’t paying for your service than someone who is.

                (FWIW, I don’t think this is a bad thing; I’m more than happy to let some of my sites be someone else’s guinea pig in exchange for the value Cloudflare adds.)

                E: Found it!

                https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/

                If the DOG test passes successfully code goes to PIG (as in “Guinea Pig”). This is a Cloudflare PoP where a small subset of customer traffic from non-paying customers passes through the new code.

                1. 4

                  Yes, free users sometimes get releases earlier. However, the PIG set is not all free customers, but only a small fraction. In this case “non-paying” meant “owes money”.

              2. 3

                Have to agree. Besides, their preloading page in front of websites is really annoying and I wouldn’t use that for the sake of UX. Each time I get one, I just bounce instead of waiting 5 secs.

              3. 4

                I think the title is misleading, it should be: “Why you should never use Cloudflare Free CDN Plan for your business”. I cannot understand why author is making a business using free tiers.

                1. 4

                  The end of the article mentions:

                  They mention that a free plan is for projects that “aren’t business-critcal”.

                  And the author talks how his business was affected. While I agree with the article that Cloudflare should be more transparent and explicit of what limits exist, maybe a better title would be: “never user Cloudflare CDN for your business”, otherwise it’s a clickbait.

                  1. 2

                    It does not seem to me that any of what happened to the person couldn’t happen to a non-business private project as well.

                    1. 2

                      I think the point is that the argument is disingenuous in the sense that probably a good amount of non-business private project would never reach the limit, but benefit from CDN services offered.

                      Just because one user had a bad experience, it doesn’t mean that you shouldn’t ever use the offer from Cloudflare.

                  2. 4

                    I just upgraded christine.website to the Pro plan to be on the safe side.

                    1. 1

                      I only use Cloudflare for their DNS hosting and the markup-free registrar. For real CDN uses, there is BunnyCDN.