What is Cloudflare and why I love it
Posted April 19, 2021 by Adrian Wyssmann ‐ 5 min read
Ever since I discovered Cloudflare I am a big fan of it. They offer a lot of great products, especially also for me as an individual with a very tiny - or non-existent - IT budget.
What is cloudflare?
Cloudflare Inc. is an American web infrastructure and website security company - founded in 2009- which provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services. They may be best known for their Content Delivery Network, as well as for their public DNS service 22.214.171.124. However, they have other interesting services and constantly announce new things. As of today they offer a these services for infrastructure and for developers:
Application & Network Security
DDoS Protection, WAF, Bot Management, Magic Transit, Magic WAN, Rate Limiting, SSL / TLS, SSL/TLS for SaaS Providers, Cloudflare Spectrum, Network Interconnect, CDN, DNS, Argo Tunnel, Argo Smart Routing, Load Balancing, Stream Delivery, China Network, Waiting Room, Cloudflare for Teams, Access, Gateway, Browser Isolation
DNS for everyone
Yeah, that’s a lot. Well, as a developers and “DevOps Engineer”, I have “infrastructure” which I also want to protect. Therefore I want to give you a quick intro to some very interesting services I currently use - most of them free
Quick Look into some services
I actually registered to Cloudflare as I choose to use their DNS service. As an owner of domain names you may know how annoying it is to manage your dns entries via a GUI. Sure some registrars offer an api, but the ones I had only if you pay for it - don’t get me wrong, paying is usually ok, cause you get something in return, but if you use things only for fun and learning, there is no big budget you can spent. So I ended switching my name servers to Cloudflare cause they offers access to the api for free. This is great, cause this way you can manage your static entries automatically. In addition they also protect your DNS with DNSSEC. Ultimately I switched also to Cloudflare Registrar to have all in one place.
If you read my previous blogs, I use Hetzner Servers and Hetzner Cloud for my infrastructure. Well, Hetzner Cloud actually offers load balancing, but when I started with Hetzner there was no Hetzner Cloud and also no load balancing available. However, Load Balancing is one of the offers from Cloudflare and it offers even a free tier with the following options:
- 2 Origins
- 20 Load Balancers
- 20 Pools included
- 500'000 queries, shared across all Load Balancers
Well 2 origins is not really that much, so if you need more you can configure it according to your needs. Now, if you start using Argo Tunnel, the load balancing comes even more interesting.
Argo Tunnel is a lightweight daemon, which creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center — all without opening any public inbound ports. This allows you to lock down your server completely and thus eliminate direct attacks to your server(s)
In addition, you also don’t have to worry about certificates. My ttrss-server for example runs on lighttpd without tls. So to securely access, the server is locked down and there is a cloudflare daemon running, which points to the port 80 of the webserver.
For more details about the load balancer please read understanding load balancers
When Argo Tunnel is combined with Cloudflare Access, users are authenticated by major identity providers, like Gsuite and Okta, without a VPN.
Access allows a granular access control to your applications without having a VPN. It integrates with identity providers and ensures that a user has to authenticate before he is granted access to the resource - if he is allowed to access it at all. As mentioned above, together with Argo Tunnel you can isolate your entire infrastructure and thus easily implement a Zero Trust security model. This is actually free for up to 50 users.
This thus not only apply for websites but any type of resources. Accessing them from your mobile or desktop is also not an issue, you can use the 126.96.36.199 with WARP (App) and configure it to use . Well yes, you need Cloudflare for Teams
Cloudflare for Teams
- blocks phishing and malware
- points traffic to Cloudflare from corporate devices
- inspects traffic and offers advanced control to filter how data flows
The free plan is ideal for persons like me and small organizations, which want to secure their networks and assets.
Is Cloudflare for you?
Well maybe? As you can see Cloudflare offers a lot of cool things which IMHO are worth to look into. And to clarify: this article is based on my personal opinion and I am not payed or rewarded by Cloudflare Inc. in any way
If you are looking for an easy way to install the cloudflare daemon ony your servers have a look at my ansible-role-cloudflared