* If you're looking for DDoS mitigation, use basically any of the providers that offer it on a network level - it's really not necessary to have access to HTTP traffic to mitigate attacks. Also, don't run Apache - it's notoriously vulnerable to various low-bandwidth attacks.
A non-exhaustive list of "real" mitigation providers (note that I am not making any particular recommendations):
- Akamai (formerly Prolexic)
- Level3 (formerly Black Lotus)
- Psychz Networks
- OVH (not as a separate service, but their entire network is covered)
Another option, if you're running at a larger scale, is to purchase mitigation appliances and just set up your own mitigation infrastructure. This will not be cheap and require some serious connectivity, but beyond a certain point it'll be more cost-effective.
* If you're looking for a WAF, run one on your own backend server(s) and/or loadbalancer(s). There's no benefit to doing this remotely, really. Even something relatively simple like ModSecurity will cover a wide array of problems.
* If you're looking to save bandwidth: don't bother. Traffic costs virtually nothing nowadays, and saving a few dollars by having another provider cache your assets hardly outweighs having the privacy (and potentially security) of all your users compromised. If you find traffic to be expensive, you should probably look for a different provider - some providers (like AWS) notoriously overcharge for it.
* If you're looking for better performance: CloudFlare doesn't really provide that to begin with. There's an extra hop for non-static assets, and depending on the location of your server and users, it can actually slow things down. If your performance is really critical to the millisecond - and chances are, it isn't - look into hosting providers that offer anycast.
* If you're looking for DNS hosting: plenty of options. Many providers offer it for free if you host with them, Hurricane Electric offers it for free regardless of where you are hosted (http://dns.he.net/), and if you need an SLA, there's Rage4 and Route 53. Pretty much every DNS hosting provider uses anycast.
* If you're looking for magic SSL/TLS: Use Caddy (https://caddyserver.com/), which is a HTTPd that will automatically set up and renew certificates for you through Let's Encrypt, as well as greatly simplifying TLS configuration. It's essentially zero-effort.
Trying to outsource this to a third party (like CloudFlare's "Universal SSL/TLS" does) defeats the point - it means that the third party can see all of your traffic, all the while providing a false sense of security to your users; they see the padlock, but their traffic is not secured end-to-end.
In short: the only correct place to terminate TLS is on your own servers.
* If you're looking for something else that CloudFlare offers: Feel free to describe it, and I'll suggest an alternative.
Most of these providers you listed have many issues, more expensive and do a terrible job protecting web sites.
For websites, like the Internet Archive, you do not need a layer 3/4 mitigation only provider. CloudFlare, Incapsula, Sucuri and others do that very well (I know from experience by working with them).
I'll look into them.
Well, I am still looking around so no fixed ideas yet whether to use or not use whatever CF offers, but since in my experience CF is the one that stands up the most in whatever stuff I read, I thought it would be very nice to have alternatives for research.