Thx for explaining. I’m not sure if I’m willing to do the same trade-offs. Supposedly their WAF is very good and quite some people use it. Probably for a good reason… It just comes at a hefty price. I’m doing selfhosting to emancipate myself, stay independent and in control. I’m not sure if becoming dependant on a single large company and terminating my encryption on their servers that do arbitrary magic and whatever with my packets is something that aligns with my ethics.
Comment on How I accidentally slowed down my nextcloud instance for months
chiisana@lemmy.chiisana.net 9 months agoSecurity.
Cloudflare handles a very large amount of traffic and sees many different types of attacks (thinks CSRF, injections, etc.). It is unlikely that you or me will be individually targeted, but drive-bys are a thing, and thanks to the amount of traffic they monitor, the WAF will more likely block out anything and patch before I’m able to update my apps on 0 days.
Also, while WAF is a paid feature, other free features, such as free DDOS attack protection, help prevent other attacks.
It’s a trade off, sure; they’re technically MITM’ing your traffic, but frankly, I don’t care. Much like no one cares to target/attack me individually, they aren’t going to look at my content individually.
Additionally, it also makes accessing things much easier. Also, it is much more likely I’d find a SME using Cloudflare than some janky custom self hosted tunnel setup. So from a using homelab as a learning for professional experience point of view, it is much more applicable as well.
rufus@discuss.tchncs.de 9 months ago
chiisana@lemmy.chiisana.net 9 months ago
It’d be a challenge to keep up — 0 days aren’t going to be added to self hosted solution faster than they could be detected and deployed on a massively leveraged system. Economy of scales at full display.
rufus@discuss.tchncs.de 9 months ago
I mean theoretically… I guess? It depends a bit. Some Linux distributions are crazy fast with patching stuff. And some stable channels have a really good track record of open vulnerabilities. Nowadays that’s not the only way of distributing software, vulnerability might depend on your docker container setup etc.
Are there actual numbers what Cloudflare adds on top? What 0-days they focus on? I mean do they have someone sitting there, reading Lemmy CVEs and then immediately getting to action to write a regex that handles that?
chiisana@lemmy.chiisana.net 9 months ago
The difference in my opinion is that doesn’t matter how fast upstream vendors patch issues, there’s a window between issue being detected, patch being implemented, release getting pushed, notification of release gets received, and then finally update getting deployed. Whereas at least on cloud WAF front, they are able to look at requests across all sites, run analysis, and deploy instantly.
There is a free tier with their basic “Free managed ruleset”, which they’ve deployed for everyone with orange cloud enabled when we saw the Log4J issue couple years back. This protection applies for all applications, not just the ones that were able to turn around quickly with a patch.
If you want more bells and whistles, there’s a fee associated with it, and I understand having fees is not for everyone, though the price point is much lower – you get some more WAF feature on the $25/mn ($20/mn amortized when paid annually) tier as well before having to fork out the full $250/mn ($200/mn when paid annually) tier. There’s a documentation page on all the price points and rulesets available.
possiblylinux127@lemmy.zip 9 months ago
I just use a VPS with caching and basic https stripping protection
atzanteol@sh.itjust.works 9 months ago
Nobody is going to go through the effort to ddos a personal site. 😂
Moonrise2473@feddit.it 9 months ago
Tell this to the Russian bots that are hammering my personal site for some reason.
It’s way easier to make a rule “no Russia” or even “only my country”
atzanteol@sh.itjust.works 9 months ago
That’s not a ddos. Not even close. Your ISP would be getting involved if it were.
You don’t even need to do a distributed dos against a home system since your bandwidth is so easy to overcome. A single EC2 instance could flood your standard home network.
Moonrise2473@feddit.it 9 months ago
it’s not a distributed denial of service but a single bot asking the same fucking wordpress page every 100ms is still a denial of service on my poor home server. In one click i was able to ban the whole asian continent without too much effort
EncryptKeeper@lemmy.world 9 months ago
Getting brute forced by bots isn’t a DOS attack.
lemmyvore@feddit.nl 9 months ago
If they don’t care to attack you why would they DDoS you. 😄
The things CF fans make up about “security” are hilarious.
If you ever got hit with a DDoS while on the free tier they’d just disconnect you.
lud@lemm.ee 9 months ago
I can’t find anything that supports that statement. What is your source?
lemmyvore@feddit.nl 9 months ago
Up to a certain volume they serve a page that runs some JavaScript heuristics to figure out if the client making the request is legit or not.
Past a certain volume your service is cut off completely.
The cutoff point depends on the load on their free tier network, which is shared by all freeloaders. Could be someone else under attack and you’d still get cut off.
CloudFlare is a CDN first of all, and it makes its money from paying customers. The free tier and the registrar and the DNS and the reverse proxy and basic DoS heuristics etc. are just there to generate word of mouth and free advertising. Nobody was talking about CF a few years ago when they didn’t offer these free services, now every selfhoster and their dog will recommend them.
lud@lemm.ee 9 months ago
Again, do you have a source for that?
All the information I can find points to the ddos protection being essentially the same regardless of price plan. The paid plans just get some more features. Like extra firewall stuff.