CloudFlare, a light behind the storm

Because your requests are tired of timing out.

HTTP 408

Denial of Service (DOS) attacks can overwhelm servers with massive amounts of requests, and are on the rise. Last year September, DNSimple encountered a significant attack. At that time I worked for a company we’ll call “Company X”.

They used DNSimple, and thus suffered an availability issue that persisted all day. It was a particularly bad day for this to happen; we had just rolled out new features and customers were promised deliverables. The DOS caused an outage for internal personnel as well as external users.

After DNSimple recovered, Company X wanted a solution to improve the availability and security of their web applications. This post will outline what exactly CloudFlare is, what they offer, and details a path I recommend when moving websites on to this amazing service.

Get a handle on your traffic

Launching in 2010, CloudFlare is relatively new. To summarize it in seven words: it’s a type of reverse proxy service. CloudFlare owns the servers in between websites and their visitors. When a user contacts a domain, CloudFlare servers access the site, and from their servers deliver the content to the user. This gives domain owners (and CloudFlare) a lot of control over what is done with that traffic.

CloudFlare caching can significantly accelerate your website, and in turn allows for bandwidth from the original server to be saved. CF also takes that cached data, and provides access to it via its own globally distributed delivery network.Users typically access CF servers located on the user’s own continents, further reducing load and delay. You’ll increase your rank with SEO by simply having a faster website. Rich analytics are provided that give administrators the chance to view the overall traffic characteristics.

CloudFlare request analytics

Security is the other primary concern of CloudFlare. Their network protects domains by intelligently identifying abnormal traffic, and prevents it from accessing the target server. Currently they are connected to one of the largest global networks on the Internet. Bad browser signatures, suspicious access request timing, and known attack networks are just a few of the ways CloudFlare picks the bad apples out of the bunch. A substantial amount of bot and spam traffic reached Company X’s network, so this was a big selling point.

A map of attack sources

Propagation of domain name server changes may take a full 24 hours to span the Internet. A definite advantage of CloudFlare is that any DNS changes made after migrating on to the service are almost immediate because changes are done internally rather than propagated.

Coin

CloudFlare is free for most uses. If you’re a business and need a web application firewall, real-time statistics, or advanced DOS protection, there are plans for that. They can be found here: https://www.cloudflare.com/plans

Migrating

Initially moving to CloudFlare is simple:

1. Construct a list of the current nameserver DNS records, including direct and indirect A, CNAME, TXT and others.

2. Create a CloudFlare account.

3. Add the site you wish to move to CloudFlare. It will automatically add the public records for you.

4. Customize the general domain settings.

5. Add any DNS records that CloudFlare missed.

6. Add and customize any additional subdomain settings.

7. Change the name servers at the domain registrar.

8. Wait for propagation.

Configuring

CloudFlare can be significantly customized; it gives administrators the opportunity to optimize how it should deliver content. Caching can be unpredictable at first as you learn how CloudFlare will serve your website. If you have a user base that has abnormal traffic patterns, initial heavy security settings might interrupt users. In my case, I needed to offer a solution that would provide zero setup problems while we moved over to the service.

Most importantly, we needed to maintain uptime, so I disabled the powerful features of CloudFlare during the move, and slowly turned them on while I watched for issues.

I recommend the following settings so as to have the least potential impact on usage:

Crypto settings:

1. Set the SSL setting you want. Import any SSL certificate your domain might employ.

2. HSTS set to disabled.

3. Authenticated Origin Pulls set to off.

4. TLS 1.2 Only set to off.

Firewall settings:

1. The security level set to “Essentially off”.

2. Challenge passage TTL set to 1 hour.

3. Advanced DDOS protection set to off.

4. Basic protection level set to “Essentially off”.

Speed settings:

1. Auto Minify (JavaScript, CSS, HTML) all unchecked.

2. Polish set to off.

3. Mirage set to off.

4. Rocket Loader set to off.

5. Mobile Redirect set to off.

6. Response Buffering set to off.

7. Prefetching URLs from HTML headers set to off.

Caching settings:

1. Caching Level set to Standard.

2. Browser Cache Expiration set to 1 day.

3. Always online set to on.

ScrapeShield settings:

1. Email address obfuscation set to off.

2. Server side exclude set to off.

3. Hotlink protection set to off.

HTTP 200

Company X started using CloudFlare essentially as a DNS provider. Their staging websites were tested first so we could observe the results. Depending on how many DNS records there are, implementing all of this could take less than 15 minutes if you have a plan.

It should be mentioned that CloudFlare is not the end game of security nor performance. CloudFlare can’t fully protect your site against attacks like cross-site scripting or SQL injection. It’s also not a replacement for server-side caching. CloudFlare does what it advertises very well, and provides another level on top of everything you’re currently doing.

Utilizing CloudFlare can give faster loading and a better response time to your web applications with little effort. CloudFlare offers an affordable security and performance solution with quick setup and zero downtime. Be the white knight at your organization, and start using CloudFlare.

J