Well technically I didn’t move anything, just moved the nameservers the domain used from Azure to Cloudflare but atleast I’ve did part, so I am technically at Cloudflare’s mercy… 🙂
For those who haven’t heard about Cloudflare, they host some of the best cloud DDoS protection features in the market.They are also known for CDN and the DNS Service 188.8.131.52 and the best piece is that they are always working on making the internet go faster! a bonus threat for us techies is that they have a set of great technical blogs, such as this one –> https://blog.cloudflare.com/sockmap-tcp-splicing-of-the-future/
Another great thing is that for bloggers like myself they also have a free service which allow you to host a site behind their service.
So how does their service work? Well it quite easy, before I moved my site all the traffic to my wordpress site went directly to an Public IP address hosted in West Europe in Azure, so regardless where the traffic came from it needed to contact the same IP that was registered on DNS for msandbu.org. When I now moved my site to Cloudflare it is essentially routing all traffic using their different POP’s around the world (Which is essentially an CDN) but a lot more advanced.So now depending on where you are coming from to visit my site from around the world you are getting an IP address based upon geo based DNS and routing using an optimized path using Cloudflare’s own network. So you can think about Cloudflare as a huge reverse proxy solution but you just have hundreds of different entry points. You can see where they have datacentres here –> https://www.cloudflare.com/network/
And with this they are essentially masking my own public IP address that the server actually have.
An example to show the difference between my poor old website and the new one
Now as part of Cloudflare’s service they also have a bunch of other features, which not all are part of the free package, some are enabled by default and some requires an upgrade package. Now looking at the feature list, they provide much of the same capabilities as an ADC vendor does, but all the services are essentially click and enable.
- DNS Registrar – Allows to add more records to the configured domain name
- DNSSEC – Enable DNSSEC for domains which are configured by CloudFlare
- Enforce SSL Encryption – Specify if you for instance have a website which is not HTTPS enabled to enforce SSL
- HTTP –> HTTPS Redirect
- HSTS – Automatically enabled HSTS for all visitors.
- Enforce minimum TLS level – Determine what kind of TLS level that minimum should be used for connection, also supports TLS 1.3
- Firewall Rules – Allows for block or challenge a specific visitor either with a JS challenge or even a chapta page if for instance coming from a specific country or going to a specific URL.
- HTTP Rate limiting – protects against various types of malicious attempts, such as denial-of-service and brute-force login attacks
- HTTP DDoS Protection – will determine which visitors will be presented with a JS challenge page
- IP Access Rules – Simple IP access rule list such as an ACL
- User Agent Blocking – Handling User Agent blocking
- Unmetered DDoS Mitigation – Cloudflare’s network is built to mitigate large DDOS attacks and can help mitigate and protect against many DDoS attacks. Cloudflare has a track record of defeating DDOS attacks, including attacks above 500Gpbs
- Zone Lockdown – Limit access to certain URL
- Auto Minify – Automatic reduze the file size of source code on the website.
- Polish – Improve image load time by optimizing images hosted on the domain
- Enable Brotli – Brotli is also a compression algorithm, which can be used instead of gZIP.
- Enable HTTP/2 – Allows Cloudflare to act as an HTTP/2 Gateway between users and your site.
- IPv6 Compability – Allows Cloudflare to act as a IPv6 Gateway to your site.
- WebSockets – Cloudflare can also act as an WebSocket Gateway.
They also provide other services such as Argo, Load Balancing, Video Streaming, Custom Pages (Such as IP Block, 404 Block, DDOS Block Page and so on) but to save the best for last, they have a pretty good analytics dashboard which shows alot of insight, also information that Google Analytics can’t see since they also can see DNS traffic and and the actuall traffic.
And as a stage two on this, I will be take a closer look into using Terraform against Cloudflare for automation.