Use Cloudflare #957
Comments
|
I'm open to this. How does it really protect us, though? What's to prevent an attacker from discovering and hitting our origin servers directly? |
|
I fully understand the issue as described here by Cloudflare: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/
The issue can be solved by following all the tips mentioned in the Cloudflare article and then blocking all incoming traffic except for Cloudflare traffic. |
|
It's going to be hard to follow all of those tips and keep our origin IPs secret. For example, we're hosted on Heroku, which means we have a CNAME at http://gratipay.herokuapp.com/. We would need to change our app name at Heroku, and keep that a secret, to prevent a loophole.
If we can do this effectively, then why try keeping origin IPs secret at all? |
|
For me, the benefit besides CloudFlare's security has always been their DNS management, speed optimizations, IPv6 Proxy, and caching.
For me it's DNS first and then it adds on some useful features. |
|
I fully agree with @clone1018, CloudFlare's security features are just the tip of the iceberg when it comes to things Gratipay could benefit from. |
|
What's the cost? cc: @nobodxbodon |
|
Right. So what would the cost be for us? :-) |
|
Free! I've reviewed the full feature list and I don't see anything we could benefit from that is worth the $20 |
|
I'm fine with it. Do you need anything from me? |
|
The important thing for me is properly testing it on a non-production domain. Maybe spin up a dev gratipay on heroku with it's own domain? Since this change effects DNS and HTTP, our production website could go down very easily. |
|
I'm going to let you and @EdOverflow work on this. Ping me if you get stuck on something I can help with! :-) |
|
We now have TLS from Let's Encrypt in gratipay/gratipay.com#4327, and CloudFlare has a bit of a black eye in gratipay/gratipay.com#4351. We already have a CDN for caching cacheable content, and DNS does not feel to me like a pain point right now. I don't see that CloudFlare has any value for us. |
One thing that Cloudflare is really good at is protecting against DDoS attacks. |
|
Is that a priority for us right now? |
|
Maybe not a priority, but nevertheless important. We could prevent h1:203366. |
|
After reading Troy Hunt's article on Cloudbleed I believe it is time to give Cloudflare a go. On top of that, h1:203366 was reported to us about a month ago and I do not want to keep the researcher waiting any longer. @whit537 and @clone1018 recommended we start with a non-critical domain first before experimenting with https://gratipay.com. |
|
I'm -1 on CloudFlare, because the only named benefit so far is DDOS prevention, and I don't see that as a priority for us. There are other solutions to h1:203366 than CloudFlare. |
|
In fact, I'm going to go ahead and close this for now. I've followed up on H1 for that specific issue. |
I would like to discuss whether we should start using Cloudflare. Here is an article by Troy Hunt on how and why he uses Cloudflare: https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/
What is Cloudflare?
The text was updated successfully, but these errors were encountered: