Cloudflare – Potentially Mindblowing e-Commerce CDN Solution

I first heard about Cloudflare when they presented at Techcrunch Disrupt. I am not writing about every startup that presented there, just a couple that caught my eye as something that I think will have a significant impact for my readers.

Cloudflare is a distributed DNS, website security, & distributed Nginx powered reverse proxy (for static content) & caching proxy with content delivery network with some additional tracking and reporting ability.

That is a whole load of technology but what this means to you is:-

On average, a website on CloudFlare …
… loads 30% faster
… uses 60% less bandwidth
… has 65% fewer requests
… is way more secure
All for free!

This is how your website is normally exposed on the web.
Cloudflare Illustration

You are in direct line of fire for everything that can possibly be thrown at it.

With Cloudshare you have an intelligent doorman in the way, only allowing through certain requests. Some high volume menial tasks such as answering the door to the postman and deliveries of groceries get handled by the caching proxy/cdn – unlike a normal CDN the URL for any file doesn’t have to change so it is very much like you set up a reverse proxy with Nginx or Squid yourself and assigned the traffic to a media server.

cloudflare illustration 2

Simple Setup

The basic setup is fairly straight forward and only requires changing your nameservers. It is only as complicated as your initial setup, so if you have a little bit more going on… Google Apps, domain keys etc, though it looks more complicated those actually get bypassed.

CloudFlare (Private Beta) - DNS Settings

There are also some extended settings

CloudFlare (Private Beta) - CloudFlare Settings

I haven’t explored these too much, but there are some things to be careful about with a blog. As an example some services such as feed readers often pull images directly and thus might be blocked by any hot linking prevention.

There are some interesting options for identifying geolocation and content obfuscation from certain types of visitors, though that doesn’t mean they are designed for cloaking content from search engines.

This is also where you assign security level with the recommendation being to use high security. You could look on the security as being a little similar to Bad Behavior, though with a CAPTCHA. I wonder if they have thought of monetizing the CAPTCHAs?

Security

The threat control is pretty interesting in that it can block web spammers, botnet zombies and exploit attackers of various types, and that is just with the free version.
The team has a lot of pedigree in this area as they were behind Project Honeypot. With the CAPTCHA and I believe also a message facility, there is also a very effective safety net in case of false positives which do happen, though some bots won’t fill in CAPTCHAs is caught by mistake such as Googlebot. I noticed today some discussion about Google’s sitemap crawler being blocked, and some suggestion of lower crawl by Google resulting from this.

CloudFlare (Private Beta) - Threat control

In many ways Cloudflare could be looked on as an extension or next generation Project Honeypot, with the additional bribe of actually providing active protection and a huge bribe by caching content.

Analytics

The analytics features look quite interesting as an aggregate view.

CloudFlare (Private Beta) - Analytics

They mention why the numbers might seem so much higher than javascript stats though don’t mention browsers pre-fetching content which is fairly standard these days.

Cloudflare seem to (or claim to) have knocked a second off my load time, though from what I have read that is based on the load time of the home page from another server in various locations.
Overall performance and relative performance will depend on what other optimization you are using.

I am currently using:-

W3 Total Cache Enhanced static page cache to disk
W3 Total Cache Database Cache using APC
W3 Total Cache Object Cache using APC
Autoptimize for combining/minification of CSS/jscript
Header & Footer – I discovered this gets added after Autoptimize has done it’s thing, so useful for adding things that I don’t necessarily want cached such as tracking stuff I am testing.
Cloudflare effectively as my only CDN (though I have a Amazon Cloudfront/S3 and a few other alternatives)

I could possibly improve performance a bit by locally caching lots of javascript, combining/minifying and then having it loaded from the CDN, but there is a lot of bug checking.

I don’t use APC for page caching as I found, at least on my Liquid Web Storm On Demand server that that was a lot slower for time to first byte.

Advanced Setup

You will initially hit problems with IP referrals and your server logs – the ideal solution is to to install “mod_cloudflare” on your server.

There is also this alternative (one of 2) for dealing with just the referrer within WordPress, but this won’t fix your server logs.
You would add this to wp-config.php

if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) )
{
$X_FORWARDED_FOR=explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
$_SERVER['REMOTE_ADDR']=trim($X_FORWARDED_FOR[0]); //take the first element in the array
}

Security For Premium Content

This isn’t a secure solution for paid membership sites – you might be better using a real CDN which can either domain lock or generate one time links.

I haven’t actually tried it with video yet.

Mindblowing for e-Commerce

If you are using an e-Commerce platform such as Volusion or BigCommerce which charges you a fortune for bandwidth, but you have control of your Nameservers and DNS this is the most amazing product / solution you will ever find.

Ideally you would go for the pro version with better security and performance which for most e-Commerce stores would likely be just $20/month. The savings for many store owners would be $80+ per month.
Then without messing around with remote hosted image hosting you can have CDN performance and a massive reduction in bandwidth excess fees.

This isn’t the only reason people face extra fees on services such as Volusion and BigCommerce, but it is a major one, and the extra performance and killing the bots makes it a best in class solution.

For further reading I came across this great post comparing the performance of various technology blogs earlier while doing some testing.
TechCrunch: The slowest tech blog, or one of the fastest? Turns out, it’s both.

p.s. I get to use Cloudflare for free, but everyone can – no barter deals for links & currently they don’t have an affiliate program.

Note: This is beta – there seems to be soe problems with some bots currently – most notably Googlebot seems to be having a few problems with this service and my crawl rate dropped by 90% and time to index a page more than doubled – I have currently switched back to my normal nameservers, and a conventional CDN

Liked this post? Follow this blog to get more. Follow

Comments

  1. Herbert says

    Hey nice information, never thought about just a high secure tools exist, was wandering does it work with all the version of wordpress blogs ? would appreciate your concern about my question, would also like to know about does it support the various plugins which are already installed on the blog.

  2. says

    Thanks Andy for the tip. I’ve signed up to Cloudflare and will give it a spin. I’m only using it for my blog as oppose to e-commerce but will be interesting to see if performance and security improves.

  3. says

    Content Delivery Networks are excellent and they can help a lot. I’m also using one, though not CloudFlare. I’ve used Akamai unti la few days ago, when I switched to MaxCDN.

  4. Juan - Mba Mba says

    This looks really interesting. I’m wondering how the analytic capabilities compare to that of say Google analytic.

  5. says

    Andy,

    I have shared you article with Cloudflare and they just replied to the note at the end of your article:

    This was actually an issue we worked with Google to correct& is now fixed.
    While I don’t want to bore you with the details on this one, we did put 100%
    focus into getting this resolved with Google.

    Still my site was down for 45 minutes until I noticed and they asked me if I am hosting on Media Temple and here is what they told me:

    “They might be throttling our IP addresses because it might look like a DDoS attack to them (we’ve been in contact with them).

    If you find value with CloudFlare, however, we would recommend contacting
    them with the following:

    Ask them to whitelist our IP addresses below when connecting to your
    network. You can tell them that you are operating behind a reverse proxy and
    the correct visitor IP will be reported by the X-Forwarded-For header, which
    they can use for abuse detection…”

    I told them that it is their duty to do that and they replied:

    “If someone should communicate with MediaTemple with requests such as you
    have told me, that should be done from your company and not from your
    customers.”

    I canceled my Pro memberships and will rethink before I will go into all that again.

  6. says

    “This is beta – there seems to be soe problems with some bots currently – most notably Googlebot seems to be having a few problems with this service and my crawl rate dropped by 90% and time to index a page more than doubled – I have currently switched back to my normal nameservers, and a conventional CDN”

    The google bot issue is now resolved (we worked very hard with Google to resolve the matter).

    The page loads should be better now that Amsterdam is fully up and running.

    • says

      I think the onus is on you to prove that things have improved.

      It is great that you have fixed some problems, but most of your customers weren’t aware of the problem that their sites might not be crawled, and then you seem to be making light of your explanation and how things should be fixed by the customers.

      The majority of your customer base will be people on lower end hosting, or hosting providers that are charging an astronomical amount for bandwidth with no way to use a CDN to reduce the bandwidth consumption.

      Issues buried away on a wiki or in your support section rather than a public facing blog are like sweeping them under a table.

      Also the majority of your mainstream users will not be able to compile “mod_cloudflare” and the WordPress hacks aren’t going to help with mod_security issues.