4w ago

People using Cloudflare, are you still happy with it? Would you consider any self-hosted alternative?

cross-posted from: https://discuss.online/post/30840627

Genuine question, so please don't be mean to whoever responds. Better to learn than to judge.
Curious if people who are on Cloudflare are considering any selfhosted alternatives? If not, interested to hear what is a deal breaker in regards to using a service besides Cloudflare. I do hear a lot of praise for Cloudflare when facing DDOS, and always happy to learn more!

36 comments

Yup, happy. A 3 hour outage once in a blue moon really isnt a big deal. Especially when I pay $0.
I host a website for my partners business, and as I pointed out to them, while their website is down right now, so is everyone else's, so not really losing customers.
- So, are you using a domain you've registered for the site with cloudflare?
  
  I bought a domain from NamesCheap for less than $5 USD, and used the Cloudflare issued nameservers. Cloudflare does not require you to purchase a domain through them, but they do require you to use their nameservers for obvious reasons.
  
  Yes. I bought the domain through them, to keep it all nice and simple.
- I wasn't really inconvenienced by the outage. I got up to check a couple things that morning, saw apps were not responding, checked Cloudflare's status page and noticed things were a bit wonky. So we'll drop back to our trick back and rock on for the time being. At the very least, we'll use the tried and true 192.168.1.110:7575...old school before everything is as nice as it is now.
  
  I have all my domains on my pihole pointed to the local address, so I only noticed when my uptime monitoring of the external sites started pinging me. But for me, the outage was at 10pm, so it really didn't matter either way.

You might be misunderstanding the value-add of a CDN to self-hosting, so here's my attempt at explaining:
I've been self-hosting things for a very long time. In the old days, we would wrangle our routers to expose port 80 for HTTP (and later, port 443 for HTTPS) and forward those connections to the self-host server and then add the appropriate DNS records to point our website domain to our home IP address (which was its own fun challenge when ISPs refused to give static IP addresses for home plans). Relatively simple.
However, in recent years (especially after the pandemic) the internet has become a much more hostile place. People find vulnerabilities in your nginx/caddy/apache or whatever reverse proxy you use (or router, or any one of the many other parts of your network/software stack) gain access to your local network and your personal data. And then there are bad actors doing DDoS attacks or AI crawlers generating DDoS levels of incoming requests to overload your hardware.
All that combined means it's very dangerous to have your home IP exposed to the internet (allowing any sort of inbound requests) at all.
So, how do we access our self-hosted stuff while we're outside of home? The safest approach is to use a VPN. Tailscale is the most popular one that I've come across. Only client devices that are connected to the VPN have access to your stuff. Random bad actors can't poke your self-hosted stack for vulnerabilities.
Okay, what if you want to share something with people publicly? I for one, use Immich for my photo libraries and it's very easy to be able to share a link to an album for friends and extended family to access without having to install and configure a VPN on their phones.
That is where cloudflare comes in. We can run cloudflared on our machine, which makes an outbound request to cloudflare and creates a tunnel to route all the incoming requests from their servers to your reverse proxy. Your network is still not exposed to the internet, and the edge nodes (the machines that actually front the incoming traffic from the clients) are not owned by you.
Now, I guess it's feasible to rent a VPS on DigitalOcean/OVH/Azure/AWS and run a Tailscale exit node there to achieve a similar result. I haven't looked too deeply into Pangolin but it looks kind of similar. Now you're adding extra work to keep those configured correctly (and up-to-date), is less secure because you're not doing that full time (unlike the engineers at cloudflare) and you're still dependent on that VPS provider to not go down, so the disaster recovery profile hasn't changed all that much.
That's why there's no self-hosted alternatives to a CDN. I guess you can go with their competitors like Fastly/Akamai/etc, but all of them are considerably more expensive. And even the ones that do have free tiers have data limits or bill per gigabyte. That's an extra headache to worry about for that one month your mother decides to take 1000 videos of your son during the family vacation and her phone automatically backed up all of them at full-quality.
- More eloquent than anything I could conjure up. In the 'at least it's not Cloudflare' column, how do you feel about https://ngrok.com/ or similar? I've never explored those avenues, but from what I hear, ngrok is fairly popular.
  
  ngrok isn’t just for development.
  That's news to me lol. I've personally only used them for development so I can't tell you how good they are for running production services.
  I just looked at their pricing page and it looks like the Free and Hobbyist only include 1GB and 5GB of data, respectively. I've never actually measured my data usage because Cloudflare gives unlimited data, but I suspect that's nowhere near enough for a photo sharing app like Immich.
- Yep, simply wondering what you think about it. Thanks, so the CDN is what you find hardest / impossible to replace without paying more from a similar service.
  
  I did it more for the security aspect, but as @MinFapper@startrek.website points out, there are many advantages. The AI crawlers, the bad actors, et al make even the free tier worth considering. Don't go in blindly tho. Do some searching and reading and make up your own mind.

A few hours of downtime in all the years I’ve been using them? That’s a better record than my actual services have.
- A lot of people underestimate what cloudflare does and while it was a massive incident in scale minuscule compared to others recent ones other large companies have had

There's not a way to self host what cloudflare does though
- What about Pangolin? Or, are you thinking of other aspects?
  
  That's only one very small component of what cloudflare does.
  We were affected by the recent issues and spent some time working out alternatives to all the features we use. It was daunting....
  
  You might want to be more specific, cloud flare has a lot of different products, and you're getting answers with differing assumptions.
  For the self hosted focus, I use tail scale already, and when (not if) that company gets shitty, I will switch to head scale, or a competitor, or straight wire guard (plus firewall etc).
  But I also run web sites on cf, and there's no real alternative, definitely not for free. I don't have hundreds of millions to spend on the CDN part, for starters.
  
  Cloudflare is a massive cdn, so it's point is to front end traffic not just doing routing.
  The problem is to get anything close to cloudflare you'd need massive scale and networking ability.
  Like self hosting containers or vms. There's a point you have to go to the cloud

People using Cloudflare, are you still happy with
Absolutely happy with Cloudflare Tunnels/ZeroTrust. Yes, I realize all the pros and cons. There are some good points made on both sides of the fence. Do I think it makes me less of a selfhoster? Nah. I don't really have any interest in pedantic, hair splitting, of definitions. Cloudflare isn't all that I use tho. I use Tailscale on my stand alone pFsense firewall, and on the server itself as an overlay layer of protection. I also use Duckdns in conjunction with LetsEncrypt on my VPS, however, I wanted something that I felt was more secure on my homelab, and Cloudflare fit the bill.
That is not to say I am in this blindly. If at some point Cloudflare, or any other service I use, doesn't suit it's purpose anymore, I can always move on to something else. Monitor, and make choices based on those observations. We should do that with any service, software, opensource or closed source anyways.
- Same here.

I moved my setups to Pangolin and placed it on a VPS and then just have been using it since and is about the same as I could run it with a CDN such as Cloudflare. I know Cloudflare has better security with things but I also use Crowdsec which has been nice for keeping most things away. I host my email through Mxroute so it's never an issue. While Cloudflare has been very stable for years, this last outage didn't affect me like it would have, although I'm just use the stuff or my purposes.
I left Cloudflare because I was ready to move away from there and found that Pangolin offered what I was looking for. No hard feelings either way toward Cloudflare at all.
- Pangolin
  I will say that Pangolin is pretty tight. It combines a lot of the things you would normally have to deploy separately. Nice package.

I self-host only private stuff, so there was never a need for anything like cloudflare.
- I am the only user of my network. I don't host any publicly, forward facing services. After reviewing a lot of options, I settled on Cloudflare for the homelab and on the VPS I use Caddy, Tailscale, Crowdsec, and a few other pieces to make me sleep better at night. LOL

Never used it nor never will, I want my infra to be as independant as possible, and also fuck internet centralisation and fuck corpos
- Not trying to get into a pissing contest, or twist your arm into anything...however, honest question: What do you consider your ISP? Centralized or no? I mean, there are only around 10 to 15 major Tier-1 backbone ISPs that I know of, everyone else contracts with them. There are about 12–14 true Tier-1 backbone providers that form the core of the global Internet, and a few dozen additional very large backbone networks (Tier 2) that also carry massive amounts of international internet traffic.
  
  Yes, and in fact I am collaborating in a neighborhood project for the implementation of a local ISP. Obviously you are right, with the way the internet is built it is inevitable to depend on some centralized systems out of reach, I cannot lay a submarible cable xD. But other than in cases of absolute need, where there is really no alternative, I want an internet more like it was before I was born, just people communicating using local infra, not Internet Monsantos
- So I've done public DNS zone hosting and you can use let's encrypt for certs and such, but
  What about caches? I basically use to reduce load and network traffic reduction before it gets to me so I don't have to run my own varnish cache and get regional caching to reduce repeat cross country calls for people on the other coasts.
  What do you use for DDOS protection?
  Basically, cloudflare is free, and i get all that. If I find another place better, I'm open to jumping ship.
- What would you recommend for someone wanting the same?

Yeah, I'm still pretty happy with my set up. My workplace is locked down, apart from the regular web. So if I want to access my self-hosted Code Server or FreshRSS or Calibre Web instance I have to do it through standard port 443. I run everything through Cloud Flare tunnels so scrapers and bots aren't constantly hammering my home broadband connection. (Edit: fixed a word.)

36 comments