Overview
Cloudflare’s core business has been to provide a Content Distribution Network (CDN) and Web Application Firewall (WAF) service with global connectivity. While they’ve since expanded with dozens of extra tools and apps, this is the core use we see for most websites. While the marketing spiel is good, there are a number of items to consider before using the product.
Considerations
Access within Australia may be slower
CDN’s love to sprout the fact that they’re able to speed things up, but this assumes a worst case scenario and in many instances doesn’t take Australia into account. Conetix already partners with iseek for our core network connectivity, who has one of Australia’s largest and most diverse networks.
In the case of Cloudflare, the Free and Pro plans will be slower for all Telstra, TPG and Optus customers due to their ongoing dispute about data charges (which started over 8 years ago). This dispute punishes Cloudlfare customers as they get inferior routes which go via Singapore, meaning the site will be slower compared to being served direct by Conetix. As these Internet Service Providers (ISP’s) are the largest providers in Australia, this can have a considerable performance impact for Australian customers.
Pages aren’t cached
Even though the static media will be held locally by their CDN, the web pages themselves (eg your WordPress homepage) aren’t cached. This is because they’re considered to be dynamic content and therefore not cacheable. Therefore, this doesn’t negate the need to have proper page caching within WordPress (or similar) Content Management Sytems (CMS’s).
The Free WAF isn’t enough
While Cloudflare talks a lot about security, most of the features aren’t available in the free Plan. Up until March this year, they weren’t available at all to free users. We’ve found that despite the claim that the Managed Ruleset is available, it’s simply not enough to prevent even the most basic item such as a brute force login attack.
To limit brute force attacks, you need to enable rate limiting. While only a minor cost, this is an additional cost and time to configure.
Proxied IP Addresses mitigate our network protection
Because connections for a malicious script are sent through Cloudflare rather than from the hacker / exploited website itself, there’s no way for our systems to block. This is because from a network perspective, we simply see a connection from Cloudflare’s network (not the end user).
Conetix uses advanced Next Generation Firewalls (NGFW’s) with advanced Intrusion Protection System’s (IPS’s) to drop malicious traffic based on IP reputation as well as analysing the packet to determine if it matches an existing, known exploit request.
Some customers therefore see an increase in attacks and brute force attempts when they enable Cloudflare, as these protections are no longer applicable. For Managed WordPress customers, we run Imunify360 on each server to re-instate this protection as well as providing another layer of protection for non-Cloudflare customers.