The Great Cloudwall

Cloudflare provides an immense value for small sites. Doing DDoS protection with specialized firewall hardware was one of the most expensive things you could do, so it wasn't really affordable for lots of people. They win by solving a problem. I believe that the issue of Cloudflare as a man-in-the-middle is a smaller issue for people running websites than the damage done by potential attacks.

That disroot article is just FUD. See <a href="https:&#x2F;&#x2F;www.cloudflare.com&#x2F;trust-hub&#x2F;privacy-and-data-protection&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cloudflare.com&#x2F;trust-hub&#x2F;privacy-and-data-protec...</a><p>CloudFlare has settings to allow Tor traffic, etc. If some website does not work, users need to contact owner of that website to change settings so that it would work. If it&#x27;s accessibility issue, speak about it to someone that can help with contacting website owner.<p>Many use CloudFlare to protect from huge amount of attacks, DDoS, etc.

I use Tor and a text based client for web browsing for better privacy. That also means I do not allow javascript. Some sites are not usable. About a quarter of those that will not work require javascript (they won&#x27;t work at all with it disabled). Most sites do work fine without javascript. Since I don&#x27;t use &quot;social media&quot; only about five percent of all websites fail because of javascript.<p>Of the remaining three quarters that don&#x27;t work, they fall into two categories. Those that gatekeep using CAPTCHAs are inaccessible using a text based browser, so I skip those. The remainder just block my requests. About half of all those are Cloudflare.<p>While I constantly curse Cloudflare and consider them an &quot;enemy&quot; of ordinary web users who just want to browse with the dignity we have a right to, they are not the only bad guys in town by a long shot.<p>They are just one more sign of an increasingly hostile web. Google, Twitter, and some parts of the Apple and Microsoft estates are hostile to privacy conscious users too.<p>For the most-part I consider these self-excluding barriers a kind of feature to stop me wasting time on creators and services that are ambivalent or ignorant about how to present themselves accessibly on the web.

Cloudflare isn&#x27;t for web users, it&#x27;s for websites. Anecdotally, I just downloaded the Tor Web browser at default settings, hit connect and went straight to my Cloudflare protected website. No problems whatsoever. Could I configure Cloudflare to block Tor? Absolutely. But I could do the same with Cloudfront, Akamai, Fastly, NGINX, Varnish, pretty much anything.<p>A bouncer outside of a bar also keeps people out, handles everyone&#x27;s identifying information, etc.

What is the solution or alternative for really good DDoS protection plus some type of WAF?<p>On AWS you can get your DNS, load balancers and EC2 instances directly protected from DDoS attacks by Amazon but it&#x27;s $3,000 a month with an annual commitment ($36,000 &#x2F; year) + outgoing usage rates at about 5 cents per GB with AWS Shield Advanced. Although to be fair with Cloudflare in the enterprise world you&#x27;ll end up being about equal to AWS&#x27; prices, but for a smaller business coming up with 36k &#x2F; year isn&#x27;t feasible. That could be more than your entire business makes.

This seems to throw lots of issues out, but no solutions. People aren&#x27;t using cloudflare for no reason.<p>One small example, everyone is aware cloudflare is down sometimes, but if you ever get even lightly DDOSed, your uptime on cloudflare is likely to be much higher than without.

I don&#x27;t think the person takes into account ANY of the benefits of CloudFlare.

So, dumb question: Why is TLS pushed so heavily if everyone is expected to use a CDN anyway, which would be in a position to see and modify all traffic?<p>Or put differently, why are ISPs hostile entities against which web traffic must be protected, but CDNs and hosting providers are just fine?

I got a 500 or 404 error.<p><a href="https:&#x2F;&#x2F;archive.ph&#x2F;Nvx58" rel="nofollow">https:&#x2F;&#x2F;archive.ph&#x2F;Nvx58</a>

&quot;You are connecting to Cloudflare and all your information is being decrypted and handed over on the fly&quot; - wait, really?

Having recently upped my visibility of traffic incoming from the internet, I have to agree with the sentiment that Cloudflare are providing a useful, worthwhile service, and the reason that they&#x27;ve grown to the extent described is that they do a very good job at it, and outran their competitors by a wide margin.<p>The internet is a cesspool of malicious traffic.<p>I was wondering why my Lets Encrypt certs weren&#x27;t auto-updating, and it&#x27;s because in my recent upgrade to my primary firewall I hadn&#x27;t setup an incoming port forward for port 80 (because, ironically, everything is served via 443 these days). But Lets Encrypt requires incoming port 80 for its domain ownership verification - or at least the option I&#x27;d setup, which was the easiest at the time.<p>I decided to log (to view) the traffic coming in to port 80, and it was a relentless stream. It&#x27;ll still be a relentless stream now, but it&#x27;s all bouncing off the external wall rather than an internal one.<p>Same with port 25, and that&#x27;s gotta be open if you want to receive email. I was actually looking forward to what Cloudflare will do with email protection from their recent acquisition. If I see many repeated attempts at connecting to port 25, I block the full &#x2F;24 permanently.

Huh, assets are still loading:<p><a href="https:&#x2F;&#x2F;git.disroot.org&#x2F;dCF&#x2F;deCloudflare&#x2F;media&#x2F;branch&#x2F;master&#x2F;image&#x2F;cloudflareoutage-2020.jpg" rel="nofollow">https:&#x2F;&#x2F;git.disroot.org&#x2F;dCF&#x2F;deCloudflare&#x2F;media&#x2F;branch&#x2F;master...</a><p>Anyway, ICYMI, the link was to a mirror of the &#x27;deCloudflare&#x27; git repo (that you can find with google)

Site appears to be down. Cloudflare Always Online™ would help immensely here.

Seems to 404 or 500 for me. Someone’s not ironically DDOSing this, are they?

&quot;And their DNS service, 1.1.1.1, is also filtering out users from visiting the website by returning fake IP address owned by Cloudflare, localhost IP such as “127.0.0.x”, or just return nothing.&quot;<p>Isn&#x27;t that what DNS filtering means?

The Illuminati strikes again (but only on mobile?)<p><a href="https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;XzaD4pO" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;XzaD4pO</a><p>(Unironic +1 for Gitea too)

Of course the ideal solution would be to throw DDoSers and botneters into jail instead of relying on DDoS protection, but that for some reason is a problem<p>(And some criticism like blocking Tor or some bots is valid and I agree with that)

&gt;500 error<p>10&#x2F;10 for irony.

I dislike Cloudflare for many of the reasons mentioned here. I did not know all of the things that they mentioned there, but some of them I did know. There are other problems too, though. (However, some of the problems listed there perhaps can sometimes be avoided, like other comments on here will mention.)<p>I do not use Cloudflare for my own services; unfortunately some others do, and I cannot usually avoid it if they do.<p>(Also, the quotation attributed to Adolf Hitler is disputed by Wikiquote.)