Ever since I discovered Cloudflare I am a big fan of it. They offer a lot of great products, especially also for me as an individual with a very tiny - or non-existent - IT budget.
What is cloudflare?
Cloudflare Inc. is an American web infrastructure and website security company - founded in 2009- which provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services. They may be best known for their Content Delivery Network, as well as for their public DNS service 1.1.1.1. However, they have other interesting services and constantly announce new things. As of today they offer a these services for infrastructure and for developers:
-
Application & Network Security
DDoS Protection, WAF, Bot Management, Magic Transit, Magic WAN, Rate Limiting, SSL / TLS, SSL/TLS for SaaS Providers, Cloudflare Spectrum, Network Interconnect, CDN, DNS, Argo Tunnel, Argo Smart Routing, Load Balancing, Stream Delivery, China Network, Waiting Room, Cloudflare for Teams, Access, Gateway, Browser Isolation
-
Serverless Applications
-
Domain Registration
-
Website Development
-
SaaS Developers
-
DNS for everyone
-
Insights
-
Privacy
Yeah, that’s a lot. Well, as a developers and “DevOps Engineer”, I have “infrastructure” which I also want to protect. Therefore I want to give you a quick intro to some very interesting services I currently use - most of them free
Quick Look into some services
DNS
I actually registered to Cloudflare as I choose to use their DNS service. As an owner of domain names you may know how annoying it is to manage your dns entries via a GUI. Sure some registrars offer an api, but the ones I had only if you pay for it - don’t get me wrong, paying is usually ok, cause you get something in return, but if you use things only for fun and learning, there is no big budget you can spent. So I ended switching my name servers to Cloudflare cause they offers access to the api for free. This is great, cause this way you can manage your static entries automatically. In addition they also protect your DNS with DNSSEC. Ultimately I switched also to Cloudflare Registrar to have all in one place.
Load Balancer
If you read my previous blogs, I use Hetzner Servers and Hetzner Cloud for my infrastructure. Well, Hetzner Cloud actually offers load balancing, but when I started with Hetzner there was no Hetzner Cloud and also no load balancing available. However, Load Balancing is one of the offers from Cloudflare and it offers even a free tier with the following options:
- 2 Origins
- 20 Load Balancers
- 20 Pools included
- 500'000 queries, shared across all Load Balancers
Well 2 origins is not really that much, so if you need more you can configure it according to your needs:
However, when you are using Argo Tunnel the load balancing comes even more interesting.
Argo Tunnel
Argo Tunnel is a lightweight daemon, which creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center — all without opening any public inbound ports. This allows you to lock down your server completely and thus eliminate direct attacks to your server(s)
In addition, you also don’t have to worry about certificates. My ttrss-server for example runs on lighttpd without tls. So to securely access, the server is locked down and there is a cloudflare daemon running, which points to the port 80 of the webserver.
As mentioned above, you can combine Argo Tunnel with Load Balancing you can have more origins than 2:
For more details about the load balancer please read understanding load balancers
You could go even further and ensuring that only authenticated people can access the server by using Access, as mentioned in the company website:
When Argo Tunnel is combined with Cloudflare Access, users are authenticated by major identity providers, like Gsuite and Okta, without a VPN.
Cloudflare Access
Access allows a granular access control to your applications without having a VPN. It integrates with identity providers and ensures that a user has to authenticate before he is granted access to the resource - if he is allowed to access it at all. As mentioned above, together with Argo Tunnel you can isolate your entire infrastructure and thus easily implement a Zero Trust security model. This is actually free for up to 50 users.
This thus not only apply for websites but any type of resources. Accessing them from your mobile or desktop is also not an issue, you can use the 1.1.1.1 with WARP (App) and configure it to use . Well yes, you need Cloudflare for Teams
Cloudflare for Teams
Cloudflare for Teams is free for up to 50 users and does not only empowers zero trust network access, but also offers a secure Gateway that
- blocks phishing and malware
- points traffic to Cloudflare from corporate devices
- inspects traffic and offers advanced control to filter how data flows
The free plan is ideal for persons like me and small organizations, which want to secure their networks and assets.
Is Cloudflare for you?
Well maybe? As you can see Cloudflare offers a lot of cool things which IMHO are worth to look into. And to clarify: this article is based on my personal opinion and I am in any way payed or rewarded by Cloudflare Inc.