Cloudflare info/tutorial for IPB

[ASTRAPI]

Hello

As many users ask for Cloudflare info/optimizations and settings that will work for IPB i decide to post a tutorial and make it easy to know what is it and what it can do for you

Cloudflare speeds up and protects millions of websites, APIs, SaaS services, and other properties connected to the Internet.

PERFORMANCE:

Performance is not just about moving static files closer to visitors, it is also about ensuring that every page renders as fast and efficiently as possible from whatever device a visitor is surfing from. Cloudflare users can choose any combination of these Internet property content optimization features that take performance to the next level.

Cloudflare is dedicated to enabling the best possible performance for our customers. Our global network speeds up and streamlines connections from visitors to their online destinations in 4 key ways:

 

CDN:

Moving content physically closer to visitors with our CDN is one of easiest way to improve the performance of your website and reduce load on your web servers.

 

WEBSITE OPTIMIZATION:

Cloudflare lets you automatically enable the latest in web technologies. Our web optimization features cover everything from mobile image optimization to aggressive GZIP and HTTP/2.

 

DNS:

Cloudflare is one of the fastest managed DNS providers in the world. The same 102 data center network that powers our CDN dramatically speeds up domain resolution for your website’s visitors.

 

DEDICATED SSL CERTIFICATES:

With a few clicks within the Cloudflare dashboard, you can easily and quickly issue new certificates, securely generate private keys and more. Dedicated SSL Certificates are available for purchase on all Cloudflare pricing plans.

 

LOAD BALANCING:

Cloudflare Load Balancing provides load balancing, geo-steering, monitoring and failover for your Internet facing infrastructure enhancing service availability.

 

SECURITY:

Online threats range from nuisances like comment spam and excessive bot crawling to malicious attacks like SQL injection and denial of service (DOS) attacks. Cloudflare provides protection against all of these types of threats and more to keep your website safe.

 

DDOS PROTECTION:

Our enterprise-class DDoS protection network has 20 times more capacity than the largest DDoS attack ever recorded. Operating at the network edge, it protects against all forms of DDoS attacks.

 

WAF:

Our web application firewall benefits from the collective intelligence of our entire network. When we identify a new threat from one website, we can automatically block it from the other 5,000,000 websites on our network.

 

SSL:

HTTPS is a must-have for modern websites, and Cloudflare makes it easy to configure SSL. No need to worry about installation issues, expiring certificates, or optimizing your SSL settings.

 

SECURE REGISTRAR:

Registering your domain through Cloudflare is the most secure way to protect your trademark from domain hijacking.

 

DEDICATED SSL CERTIFICATES:

With a few clicks within the Cloudflare dashboard, you can easily and quickly issue new certificates, securely generate private keys and more. Dedicated SSL Certificates are available for purchase on all Cloudflare pricing plans.

 

RATE LIMITING:

Rate Limiting gives you granular controls to detect bad traffic, customized rulesets to ensure that your legitimate visitors are not impacted, and insights to improve your security posture as attacks evolve.

 

RELIABILITY:

 

DNS:

Cloudflare’s DNS service is powered by the same 102 data center network that powers our DDoS and CDN services. This not only improves DNS resolution times, but also makes DNS-related attacks and outages a thing of the past.

 

CHINA NETWORK:

Cloudflare’s China service optimizes Internet connections in mainland China, dramatically improving the viewing experience for visitors in China.

 

PREDICTABLE BANDWIDTH COSTS:

We believe that you should never be surprised by your monthly bill. Our flat-rate pricing structure makes your CDN and DDoS bandwidth expenses predictable.

 

INSIGHT:

ENTERPRISE LOGS:

For enterprise customers, we can provide consolidated logs from around the world. These are very rich, containing detailed information about every request and response.

 

THREATS:

When we identify requests that are threats, we log them and block them. That means we not only protect your site, but also provide insight into the malicious activity we’re seeing.

 

RATE LIMITING:

Rate Limiting gives you granular controls to detect bad traffic, customized rulesets to ensure that your legitimate visitors are not impacted, and insights to improve your security posture as attacks evolve.

 

 

PLANS:

 

 

102 DATACENTERS AROUND THE WORLD:

 

 

CONTROL PANEL:

 

 

 

How to use? Setting Up Cloudflare Is Easy:

 

So as you can see it is very easy to do

Just register for a free account and then add your domain and after a minute of scanning yur existing DNS records you can proceed to the next step that is the change of your DNS nameservers on your domain registrar to the given Cloudflare ones

Then after X minutes/hours when the DNS change is activated you will be using Cloudflare.

You can verify this by checking on the main dashboard Overview page the green bar and the Status: Active:

 

Then on the SPEED tab you have the options that you must adjust:

!!! REMEBER TO ADJUST ONE BY ONE AND MOVE TO NEXT ONE ONLY AFTER YOU VERIFY THAT EACH ONE WORKS !!!

 

Auto Minify:

Css and html should work if you enable them with no issues but js can cause issues with IPB or addons/Apps that you may use.

 

Polish:

All options should work there and it's up to you what quality you need for your images...

 

Mirage:

That one should work also with no issues....

 

Rocket Loader:

That one is causing the most issues for IPB and is recommended to not enable it or if you do to check it twice that it works.

 

Keep in mind that you don't need to do any adjustments for Cloudflare to cache any folders of your server.It will cache any static file automatically after the first request from a user !

 

Trouble? Don't like it? You can still benefit from it !

If it doesn't work for you or don't like it for a reason you can use it only as a DNS provider and you can benefit from the super fast network that they have and the super fast dns changes that you can do

How?

Just go to the Overview main dashboard page and click on Advanced and then on Pause button

 

I will not go to more advanced extra settings for firewall or ssl or page rules tricks as the tutorial is for the basic steps only

Enjoy !

[jcdesign]

I´m using the free version with auto minify with all option enabled (JavaScript, CSS, HTML) and ssl from my own server. I am pleased with CLOUDFLARE and will continue with It.

Rocket Loader was causing delay time and did not work well with my board.

[EmpireKicking]

Yeah, is SSL for real?

[ASTRAPI]

Cloudflare ssl is working great :-)

[inkredible]

I had quite bad experiences with the DDoS protection for (custom) Layer 7 Attacks as business customer. I do use CloudFlare as DNS service now, because their panel is great. I also agree that CloudFlare offers a lot useful features which speed up pages, unfortunately our current DDoS protection is not compatible with CloudFlare.

In short: If you are expecting/facing advanced Layer7 attacks rather use something else. I have heared the protection is better on enterprise plans, but they start at 5000 USD / month - Prolexic and Imperva might be alternatives. We've also got quotes from Incapsula as we faced DDoS attacks which exceed 115 GBps (which is the limit of our DDoS protection right now) and the quote looked like this:

"Ballpark figures are as follows:

-          Enterprise package 50M to cope with your 10TB/Month of clean traffic - $1,100/Month

-          Unlimited DDoS package; every case which is getting hits that are over 50G per attack falls into that spot - $7,000/Month

-          Incapsula Infrastructure Protection for Single IP - $330/Month

 

Total is - $8,430/Month"

[ASTRAPI]

Don't know if it is allowed to post other DDOS providers that offer also servers but there are many super providers with much less than above prices and protections works perfect !

For Layer 7 most attacks are from rented booter services and in most cases are easy to block using for example failtoban and blocking the user agent "Wordpress" that they use...

The problem is when they hit the server ip directly and in that case you can solve that issue using a good server provider.

Some of them offer such service for free and works very good !

[inkredible]

10 minutes ago, ASTRAPI said:

Don't know if it is allowed to post other DDOS providers that offer also servers but there are many super providers with much less than above prices and protections works perfect !

For Layer 7 most attacks are from rented booter services and in most cases are easy to block using for example failtoban and blocking the user agent "Wordpress" that they use...

The problem is when they hit the server ip directly and in that case you can solve that issue using a good server provider.

Some of them offer such service for free and works very good !

I didn't want to advertise another service, but incapsula is besides prolexic one of the biggest mitigation services who are capable of handling DDoS attack larger than 100 GBPs (there are just 3 companies who offer services at this size I think). I just wanted to provide numbers what a decent DDoS protection will cost otherwise because you won't find these numbers on their homepages or anywhere else. The prices have a reason because CloudFlare and other ddos mitigation services are usually talking about their "total network capacity" and not about their actual bandwidth protection.

I am aware that CloudFlare acts as reverse proxy and hence the protection is not existent once the attackers got the real IP address behind the reverse proxy, but nevertheless the protection for free users is not really good. Also no attacker would perform a Layer7 attack once they got the real server ip, bandwidth attacks are much more effective and technically easier in that case. CloudFlare will disable your website once the attack exceeds a specific size - they force you to upgrade to the business package then and afterwards they will unblock you (takes around 12h). CloudFlare doesn't offer Layer7 protection at all for free customers and they also state this on their website.

In short: My experience is limited to the Free, Pro and Business package - If you are running a community which regularly faces advanced DDoS attacks you should prepare yourself for a lot more costs (depending on the attacks you are experiencing).

 

I am not trying to make your tutorial bad, you should mention the ddos protection differences each package though. I am convinced it's just a matter of time until a large community faces advanced DDoS attacks.

[ASTRAPI]

43 minutes ago, inkredible said:

I am not trying to make your tutorial bad

Didn't say that

I don't use Cloudflare for Ddos protection that's why i didn't mention Ddos services for each pack

Almost in all cases i am able to stop Ddos attacks but not when the attacker hit the ip....

Then users need a good service/provider.... That's what i mention above...

[sobrenome]

What about railgun?

[ASTRAPI]

No issues for me :-)

Just enable it and test it ...

[RevengeFNF]

On 22/02/2017 at 4:01 PM, ASTRAPI said:

Don't know if it is allowed to post other DDOS providers that offer also servers but there are many super providers with much less than above prices and protections works perfect !

For Layer 7 most attacks are from rented booter services and in most cases are easy to block using for example failtoban and blocking the user agent "Wordpress" that they use...

The problem is when they hit the server ip directly and in that case you can solve that issue using a good server provider.

Some of them offer such service for free and works very good !

If you receive a 115GB Layer 7 attack, its impossible for you to protect it with fail2ban. I also use that in my server, but it only works for normal attacks, not big ones. Your network will simple get full, and even if it was not full, youir fail2ban with that kind of attack would consume all the resources of your server, and it would be a ddos anyway.

I even use nginx configuration to drop the connection if the request comes from Wordpress... If the requests are thousands per second, no chance without a dedicated anti ddos.

[ASTRAPI]

Yup a full dedicated Anit DDOS provider is the best solution

[AlexWebsites]

Is anyone using the Argo feature? 

https://support.cloudflare.com/hc/en-us/articles/115000244811-How-can-I-see-if-Argo-improved-my-page-speed-

[Steph40]

4 hours ago, AlexWebsites said:

Is anyone using the Argo feature? 

https://support.cloudflare.com/hc/en-us/articles/115000244811-How-can-I-see-if-Argo-improved-my-page-speed-

I am curious about this too.

[AlexWebsites]

with 4.2.2 and auto minify under speed, what is everyone using? CSS seems to be causing some issues for me.

[Netherlord]

On 7/27/2017 at 2:31 PM, AlexWebsites said:

Is anyone using the Argo feature? 

https://support.cloudflare.com/hc/en-us/articles/115000244811-How-can-I-see-if-Argo-improved-my-page-speed-

I am. Worth the money. Drops my latency down a lot.

[jair101]

6 hours ago, AlexWebsites said:

with 4.2.2 and auto minify under speed, what is everyone using? CSS seems to be causing some issues for me.

I am using only HTML. There is no use of minifying CSS and Javascript, they are already minified by IPS. So it can only cause issues, like for example, with custom themes .

[maddog107_merged]

On 8/23/2017 at 8:58 AM, Netherlord said:

I am. Worth the money. Drops my latency down a lot.

would only cost us 1,700/mo (17TB/mo) 

how much of an improvement did you see?

On 3/14/2017 at 2:35 AM, ASTRAPI said:

No issues for me :-)

Just enable it and test it ...

is railgun worth the $200 (business plan)? do you have metrics before and after?

[sobrenome]

Testing Argo today.

TTFB dropped from average 600 ms to 400 ms on first view accordingly to Webpagetest.

Is this the only performance gain or the website also loads faster on others metrics?

The most amazing feature of business plan is the BYPASS CACHE ON COOKIE, to serve your entire page by the cache of the PoPs. Loads almost instantaneously.

But someone told me that IPS 4.1 could not serve pages for guests this way for some software limitation related to guests registration.

I don't now if this issue was solved in 4.2.

[sobrenome]

Doing more tests, TTBF was again returned to about 600 ms... no better performance...

[jair101]

By the way, what is your cache hit ratio, both for requests and bandwith?

Mine is approximately 50/50 for cached/uncached requests and 66/33 for cached/unchached bandwidth. I found that pretty low to be honest. 

[Netherlord]

8 hours ago, sobrenome said:

Doing more tests, TTBF was again returned to about 600 ms... no better performance...

I get a 50% reduction in latency. You can check the graph in cloudflare analytics.

[Morgin]

The 4.2.6 update changes some of the ckeditor files and for whatever reason, rocket loader is really messing things up It worked fine before. So, heads up to anyone with cloudfront, you'll probably want to exclude any ckeditor scripts or probably turn rocket loader off entirely. Bit of a shame, prior to 4.2.6 the editor loaded immediately with no indication it was loading. Now on 4.2.6 there is a slight delay before it loads. Appears to be whatever changes the ckeditor people made. 

[gabs007]

I'm planning to use cloudflare soon.

Can someone tell me if it is worth paying the 20$ ?

I have tested the free versions with a few wordpress blogs and I have to say it works great.
But I'm not sure if It is worth paying?  any experience about that ?

[jair101]

1 minute ago, gabs007 said:

I'm planning to use cloudflare soon.

Can someone tell me if it is worth paying the 20$ ?

I have tested the free versions with a few wordpress blogs and I have to say it works great.
But I'm not sure if It is worth paying?  any experience about that ?

It is worth it only if you have an image heavy community. Then you can use Polish and Mirage, which help with image optimization. If you don't need that, I believe you are perfectly fine with the free plan.