
CloudFlare and Google Cloud Platform - jgrahamc
https://www.cloudflare.com/google
======
verelo
I want to love CloudFlare, I really do. We currently use them, but sadly the
number of times that CloudFlare has been the cause of a service interruption
is somewhere around 50% mark. They are no longer in use on any
critical/important end points, I just don't need PagerDuty waking us up over
an issue I have no control over.

This is not a problem I expect to improve. As they start to cover all of the
web, i imagine that it'll actually only get worse. Curious about how they see
this progressing.

~~~
chrissnell
I tried their enterprise tier out about 9 months ago and was entirely
unimpressed. Moving a site from Akamai -> CF increased page load times
dramatically. We ended up quickly switching back.

CloudFlare's complicity with ISIS, however, was what turned me off
permanently. For those unaware, CloudFlare was providing proxy shielding of
ISIS's propaganda websites. The CF CEO publicly refused to discontinue their
service, taking an anti-censorship, pro-free-speech stance. His absolutist
views didn't sit well with me and I consider their servicing of these domains
to be aiding and abetting this criminal organization.

~~~
lost_my_pwd
Interesting. This is the first I have heard of this and CloudFlare's
reputation has just gone up my eyes because of it.

Is ISIS dangerous and deplorable? Sure. Are there ideas so dangerous that they
do not deserve to be exposed to public discourse and judged on their merits? I
don't think so.

~~~
voidlogic
I don't follow; CloudFlare is not the government, therefore freedom of
expression isn't really the issue here. Who they choose to give a voice to
says a lot about them.

I would oppose the government censoring ISIS; however, I would be proud of any
company that refused to to business with them.

~~~
gozo
Shouldn't you also be upset over all the other service providers including
your own ISP that also doesn't block those sites? Unless it's specifically
against protecting people against criminal activity, in which case we are
really going down a slippery slope.

~~~
voidlogic
>Shouldn't you also be upset over all the other service providers including
your own ISP that also doesn't block those sites?

I would argue that the moral dilemma is different if you choose to allow ISIS
traffic to pass through you, vs have them as a client.

~~~
erkkie
It might, but the business model Cloudflare is on makes the distinction less
clear. For example with their free plans would they need to identify all
clients, scan their content and judge accordingly?

For paid clients, I might be more sympathetic to the argument, but even then
the (moral?) rules (for nonbusiness) are incredibly tricky to figure out and
keep consistent. Selective enforcement is bad for everyone in the uncertainty
it spawns.

~~~
ryanlol
>For example with their free plans would they need to identify all clients,
scan their content and judge accordingly?

Ever heard of this little thing called abuse reports?

------
manigandham
To offset some of the feedback here, we run close to a billion requests a
month through CloudFlare with no issues at all. We use their Strict SSL
setting and everything is fast and secure and we save a ton on bandwidth.

As far as CDN service goes, free SSL and bandwidth and peering + all of their
datacenter locations + DNS integration gives us better latency than pretty
much everyone else we've tried.

~~~
aagha
Ditto!

We're a small startup and serve up about 3.5M requests through CloudFlare a
day.

when we were using AWS CloudFront, our costs quickly escalated to $100/day as
we brought on new customers. We switched over the CloudFlare and made that
$100/day cost go away.

CloudFlare's free service has been amazing and we've had no hiccups with it.

------
asuth
This is great!

We run Quizlet behind Cloudflare, and use Google Cloud for all our server
infrastructure (>150 VMs). We've been very happy on both platforms. We'll be
saving around $2k/mo on bandwidth because of this deal, and we didn't have to
lift a finger. Yay :)

Happy to answer any questions about either platform.

------
steckerbrett
It's becoming unusual not to see sites behind CloudFlare now, pretty neat from
a routing standpoint and devastating to user privacy and security on the
whole. If things continue in this direction we'll have the cloudflare, and
some scraps of regular internet off the side.

~~~
AdmiralAsshat
_pretty neat from a routing standpoint and devastating to user privacy on the
whole_

I'm interested. Please expand on the privacy point. I thought the general move
to CloudFlare was a good thing for privacy, as it provides an easy mechanism
for getting sites onto HTTPS without having every site to worry about managing
certificates.

~~~
ceejayoz
If CloudFlare is compromised by an intelligence agency or forced by law
enforcement and courts to cooperate, they're a large single-point-of-failure
for privacy.

~~~
MichaelGG
Additionally, a lot of sites probably just use CFs crypto, without securing it
to their backend servers. Hence there could be less encryption overall.

~~~
duskwuff
Indeed, CloudFlare will happily run an HTTPS front-end proxy to an origin
which is using a self-signed certificate, or even to a HTTP origin. Thought
that site was secure? Think again!

~~~
slipstream-
If the origin used a self-signed cert, doesn't cloudflare use certificate
pinning?

------
pdknsk
I strongly advise against hosting images, particularly photos, behind
CloudFlare. I don't use it myself but I'm frequently noticing CloudFlare
aggressively stripping color-profiles from images. Most noticeable if the
photo has an AdobeRGB profile, as many do. It makes skin tones in particular
look very dull. I don't know if CloudFlare honors no-transform – I suspect
they do, but most sites don't send it.

~~~
jgrahamc
I would like to understand this. If a customer asks we do do image
recompression to save space, and strip metadata (this is one of our services)
but would like to know what this is about.

~~~
Kalium
My experience in web-dev is that browser support for color profiles is dodgy
at best. Much like alpha in PNGs. It's usually wiser to not rely on
occasionally-supported features.

PNG alpha in particular was a nightmare for me. After that I knew to look out
for the pain caused by occasionally-supported features in images.

~~~
billyhoffman
This "much like alpha in PNGs" makes it sound like you think this is a recent
problem we still have to deal with. It's not:

[http://caniuse.com/#feat=png-alpha](http://caniuse.com/#feat=png-alpha)

PNG alpha transparency was a problem with the decade old IE6. And even then
IE6 worked fine with PNG8 images that had alpha transparency. IE7 and IE8
required a 1 line style attribute to work 100% with PNG + alpha, and IE9 did
away with that need altogether.

~~~
Kalium
The problem of haphazard feature support is not new, no.

------
rprime
Side question, does anybody have any experience with their RailGun feature, is
it worth it? We recently switched to CF and mostly use them as a CDN and we're
quite happy, good value for the money.

~~~
buro9
I work at CloudFlare and have tried every feature on my site
[https://www.lfgss.com/](https://www.lfgss.com/) at some point.

Railgun is the single biggest improvement a _dynamic_ web site can enable.

The biggest benefit is the established connection between the CloudFlare PoPs
and your origin server.

The second benefit is the "compression" that is the result of each side having
a shared dictionary.

But really, it's the open connection.

The things I tell my friends to use from CloudFlare:

* DNS

* Railgun

* Caching (my S3 bill is so small now)

* DDoS protection (I'm under attack!)

That's usually the order I recommend it too... Railgun is up there. After that
list it tends to get more specific, about their web app and what works for
them... but all of the above, just enable and use.

If you are on Chrome and install the Claire plugin then you can view Railgun
information in the address bar:
[https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...](https://chrome.google.com/webstore/detail/claire/fgbpcgddpmjmamlibbaobboigaijnmkl)

~~~
rprime
Thank for the information buro9, my company has started to go global and we
now serve clients in Australia, Japan, locations far away from our origin
server (+200ms) and I am hoping to see a big improvement there.

I'll enable it today and see how it goes.

------
spicyj
Does this apply to App Engine too? Is there a way to test if you're getting
the direct route?

------
MichaelGG
So does this apply to any GCE customer hosting in US? If I've got machines in
us-central and I'm using CF, then I don't have to do anything? My bandwidth
charge from GCE should go to about 0?

------
mattbasta
This is excellent, honestly. We recently moved a few billion requests each
month behind CloudFlare and our metrics show that our median user (in terms of
load time) had their assets loaded almost 40% faster. It's also worth noting
that CloudFlare is the only reputable CDN that currently supports SPDY, and is
(purportedly) actively working to turn on HTTP/2\. Compare that to a company
like Akamai that's still advertising Edge Side Includes like they're new and
innovative and the year is 2004.

------
maartendb
I'd love to see more transparency in the way CDNs decide to cache or not cache
your content. For example: Cloudflare publishes crawl frequencies in their
pricing table but what do they actually do with that content? Push it to all
their edges? I'd doubt that. I guess it's based on website traffic, your
website pricing plan, ... but it seems quite arbitrary to me.

------
forcer
It took us a while but we tested what sort of speed up you can see with this
new partnership -
[https://news.ycombinator.com/item?id=10233035](https://news.ycombinator.com/item?id=10233035)

------
arihant
This is tangential, but is there any way one can use Cloudflare and not be
subject to Google Analytics spam?

~~~
jgrahamc
What are you talking about?

~~~
arihant
This: [https://moz.com/blog/how-to-stop-spam-bots-from-ruining-
your...](https://moz.com/blog/how-to-stop-spam-bots-from-ruining-your-
analytics-referral-data)

And this: [https://blog.sucuri.net/2015/07/malicious-google-
analytics-r...](https://blog.sucuri.net/2015/07/malicious-google-analytics-
referral-spam.html)

I and others that I know get this kind of referral spam on every single domain
we have with cloudflare. I know DNS records are public, but is there something
cloudflare and other public DNS hosting services can do to prevent this?

~~~
chinathrow
Those spambots hit hard these days. However, they never ever touch your origin
or your CDN at all (check your logs, nothing). They fake the log entry
directly into the Analytics systems.

Google has to cleanup, but sadly, they haven't moved a bit since ages.

~~~
arihant
Yes, that is true. However, the fact that only my cloudflare domains
experience this suggests either,

1\. They are targeting domains specifically with cloudflare nameservers.

2\. They are somehow obtaining a list of domains running on cloudflare.

Both these tasks are not hard to accomplish. And it is extremely irritating.

~~~
shazow
Most of these spammers just emit events to a large range of GA tracking ids
completely blindly, think of it as the equivalent of...

    
    
        for (var i=0; i<100000; i++) {
            ga('create', 'UA-' + i + '-1');
            ga('send', 'pageview'); // But with a fake referrer
        }
    

They do that a bunch of times per day from a bunch of different IP addresses.
Adding host filtering to your properties on GA eliminates about 80% of spam
which use this technique.

It's possible you're being targeted due to being in a specific market or
something, but it's unlikely to be related to Cloudflare. (At least I can't
think of any reason why it would be related.)

