Hacker News new | past | comments | ask | show | jobs | submit login
I'm so sorry everyone. Or: why I'm switching to Cloudflare (saggis.com)
221 points by d4a on Feb 23, 2022 | hide | past | favorite | 206 comments

> I guess I also wanna say that I'm sorry Cloudflare. I realize that I'm not the target market. I am literally not giving Cloudflare any money. There is no reason they should support an esoteric and bizarre configuration that I do.

This guy is underestimating just how exactly the target market for such a free tier service he is. He is smart, technical, about to go to college, and in a few years will be evaluating what service to use for his startup or big tech job from among a field of competitors.

Oh yes. I first discovered Google Firebase some time during high-school and was hacking on some small projects ever since.

Today, I am hosting most of my stuff on GCP and I'm quite reluctant to spend time learning about the other provider's offerings.

He also just put CloudFlare on the front page of HN yet again, so, he's just paid them handsomely in PR.

> in a few years

If Cloudflare can keep on bleeding money at such scale, in a possibly interest-rate-increasing world, that is.


In 2021 it had a revenue of $656M, and costs of $917M.

If you've raised VC and are not bleeding money you've either done something really, really wrong or something really, really right. You're supposed to be bleeding money. That's the whole reason you gave up a chunk of your company. The only reason not to be bleeding money is because you locked into such a strong growth loop halfway into spending that VC money that you literally can't buy inputs fast enough. You're pulling 100% of the world's XY or Z.

It's bizarre that the majority of people on a tech entrepreneurs' forum don't seem to understand this. If you take hundreds of millions in VC funding and immediately make healthy profits, then congrats you just gave away a large chunk of your company for nothing. The smart move is to instead pay your employees, give away your services for cheap and grow your customer base. There's no point having a long runway if you don't use it to build up speed but rather try and take off too early and crash.

> It's bizarre that the majority of people on a tech entrepreneurs' forum don't seem to understand this


> The smart move is to instead pay your employees [...] and grow your customer base


> give away your services for cheap

Disagree. Giving away your services for cheap is great way to build unsustainable business. It's often a part of the effective strategy, sure. But if you just default into "oh, we'll just sell it cheaply, and increase prices when we're big", then be sure to time your exit, before everything collapses. Selling $1 for 90 cents works only for a limited time.

> Selling $1 for 90 cents works only for a limited time.

That's the point with VC money, for some markets. By burning the entire market for everyone else, you can then own it. At smaller scales and for some products this sucks because VC money distorts the market for otherwise perfectly/better designed products but that don't have the same monetization possibility.

I believe it's one reason so much VC money pouring into web3 now. They aren't about to let an actual decentralized vision take hold.

In what market does VC-backed entrants selling at a loss to pick up market share not distort the market?

> grow your customer base

> give away your services for cheap

I think your parent comment's view is that these go hand in hand. Sure, there are tons of bad examples of this which really do only amount to selling $1 for 90c. Sometimes, however, the point of customer acquisition isn't just so that you can switch from selling $1 for 90c to selling 90c for $1 (which won't work), but to solve your scaling problems before you try making a profit. It's easier to fix issues and deploy new or experimental technologies in a period of easy money and customers flooding your doors than it is when you're skating by on thin margins.

> It's easier to fix issues and deploy new or experimental technologies in a period of easy money and customers flooding your doors than it is when you're skating by on thin margins.

But this describes to me the "sell $1 for $.90" strategy, not the other way around. IOW I think it's an argument for why selling cheaply is often not a good idea.

And wrt the parts of your grandparent's comment you quoted, it's not really accurate to call it "growing your customer base" when you're growing it via giving away unreasonably cheap services. It is often the case that the majority of customers acquired in such a way won't stick around when prices are later increased to a realistic level.

This is why in general I advocate for businesses to price well, not cheaply, and to try to get real growth - that is, people willing to pay the money your services are actually worth. There are times where "acquire new customers at all costs, even by giving unrealistically good bargains" is the optimal strategy, but I think it should be something done 10% of the time rather than the 95% of the time it's done in our industry.

Nowadays HN is far different from its roots of being a founder hangout. By far the biggest audience are tech workers who don’t have or even want entrepreneurship experience.

"roots as a founder hangout"?? The roots of HN are techies, geeks and nerds trying to crack the entrepreneur code, not "growth hackers" and entrepreneurs already in the VC ecosystem.

It’s bizarre that one person said it and you’ve extrapolated that into the majority

I suppose the charitable take is to infer that they have other data points to support that conclusion, they just didn’t feel it was necessary to make that explicit.

What do VCs have to do with it? Cloudflare has been publicly traded for over two years; one of the basic success metrics for a public company is whether it turns a profit (or is capable of one, absent an overarching R&D investment scheme like Amazon's).

I truly don't understand what holding a share in a non-dividend company really gives you. Yes, it has perceived value and that company may not be profitable, but shouldn't the end game be to provide some sort of dividend to people who own part of the company?

I see the value in it as a speculative asset: if you think that the company will pay significant dividends in the future (or you expect that others will value it in the future for that or other reasons), then it makes sense as an investment.

That being said, I think there's a healthy ratio between speculative and dividend-yielding investments, and the market (especially the tech market) is nowhere near that healthy ratio.

Companies these days increase shareholder value by doing stock buybacks with their spare cash instead of giving dividends.

The capacity for the company to pay a hypothetical dividend increases as the company generates more free cash flow. So that increases the value.

You are hitting on a correct notion here though, which is that if the market totally went away - ie you held your shares but couldn't sell or buy - and you're an investor who owns .0001% of a megacorp and >50% of the shareholders won't vote to issue a dividend, then the security is worthless to you. Similarly, if the market does still exist but for whatever reason the company is "unfairly" valued extremely low by the market, then having dividends gives you an "anchor" to hold on to - at least your asset is giving you a 1% or a 3% or a [insert dividend yield here]% dividend while you wait for the market to value it fairly again - whereas without the dividend you've got nothing.

End game, sure, but who's to say a given company is anywhere near their endgame. Outside observers only have outside observations and aren't privy to internally planning.

When the stock price goes up, you make money. Dividends are one way of getting value out of a stock but not the only way of course.

I really think this is what Gabe did with Valve. To this day they are a privately owned company. It may not be the best place to work, but I do know they get paid well.

I still think it's a fair question. Not every company bleeding money on purpose is going to be able to transition into making money. There's a fair amount of risk in assuming everything will be fine later when you start charging realistic prices for your product/service.

Don't some people take VC as a way to get a sudden large influx of cash to the founders. That is, if my company is profitable and making okay money, but not enough for me to afford some nice toys now, don't some people take VC so they give up equity now for money now? Knowing that the money may turn out to have a 100,000% interest rate?

I think VCs will be disappointed or worse if they learn this was the main plan.

(Of course FU money is another thing and something many VCs approve of. Edit: since it seems to me this is a rather uncommon term these days it refers to giving the founder the initial investment and then a healthy amount extra in payout so their decisions won't be clouded anymore with the fact that they wan't "their" money back. At least that is the theory.)

Oh, sorry. I didn't mean as an exit plan. I was thinking of the FU money concept. I think there's a similar benefit (from the VC's POV) to some a bit of lifestyle inflation and the ability for the founders to have enough cash to use cash to solve personal problems instead of spending their time.

I'm thinking "toys" was a bad word. I'm thinking getting a reliable Tesla as a means of personal transportation, not a yacht.

This is called "taking some off the table" and there is a place for it, but it is usually a small part of a bigger push to get the company to rocketing growth.

But, Cloudflare is a public company now. Not that it matters much except I don't see why "vc money" talk is even relevant in this case. I hope they're executing on a different playbook these days.

Genuinely don't understand what exactly people think you take money for. If it's debt and you don't spend it, you're better off paying off the loan. If it's equity and you don't spend it, you're better off keeping the company. What else do you take money for except to spend it?

This isn't even an entrepreneur/VC/tech thing. You can get there from first principles without intelligence.

Obviously there's a subtlety to it wrt timing etc., but the point of the money is to use the money for some thing.

Last quarter Cloudflare broke even and is now projecting profits going forward. Funny how that works.

Operating Income (Loss): GAAP loss from operations was $41.1 million, or 21.2% of total revenue, compared to $24.7 million, or 19.6% of total revenue, in the fourth quarter of 2020.

Net loss 21% of revenue is hardly breaking even

Revenue in Q4 rose 54%, year over year, to $193.6 million, yielding an EPS of $0.00.


We were profitable the last two quarters and cash flow positive the last quarter.

Tip to anyone reading this, even if you think you're going to be a software developer the rest of your life, take an accounting course.

Cloud flare is MITM As A Service. (I say that as a user) I don’t think they will run out of money any time soon.

Fourth quarter of 2021 they had positive free cash flow. In other words, they're not really bleeding money any more.

I would like to thank VCs for subsidizing our web hosting!

VCs? It IPO'd, they're stockholders.

I would like to thank stockholders for subsidizing our VCs!

Very happy with Cloudflare and honestly if they double their bill I'll just pay double, because it performs admirably imho.

They certainly can, at most they just use their richly valued stock to raise some more money. Most of the GAAP loss is stock based compensation anyway, not directly spending money.

You know Amazon wasn't profitable as well right? These things take more time than people would like to admit. The whole point of investing is finding those gems you believe in. Cloudflare is one of mine. The physical infrastructure they have in place, their network expertise and their consistent ability to try new things make me think they will either be bought or move to be an extremely profitable company in the future.

> possibly interest-rate-increasing world


And almost $2B of cash on hand.

CloudFlare works so well for so many use cases it's hard to justify not using it. I previously used it to get to my internal home network using the standard product and IP range whitelists (plus some additional secrets).

I currently have it running on top of some ancient legacy appengine apps to clean up domains/URLs, add a caching layer and keep my costs at basically zero overall (workers doing a little bit of work as well).

I'm tempted to ditch Google's legacy free workspace product using the email forwarding as well.

It's like Twilio: there just isn't anyone near from a competitor perspective. As long as they keep improving, they are so far ahead it's their game to lose.

And just to clarify: I do everything on the free tier.

I'm tempted to ditch Google's legacy free workspace product using the email forwarding as well.

Go on then: https://blog.cloudflare.com/migrating-to-cloudflare-email-ro...

I did exactly this literally last week with the combination Cloudflare Email Forwarding to receive emails and Amazon SES as an SMTP relay to send emails (from any address) on my domains. Works exceptionally well and moving away from my legacy G Suite has been seamless, and one less account to login to.

One feature I would love for Cloudflare to add is the ability to Reject emails to specific addresses. Drop works as an alternative because it doesn't deliver the email, but still validates that the address exists. Having Reject as an option will tell the sender that this address is invalid.

Any solution for sending email? Just forwarding mail is not remotely the same thing; there's a million ways to do that.

After reviewing all my options I think I’m personally going to set up Amazon SES as SMTP sender for my personal email when I move off gmail. Use hetzner dedicated server for receiving email, along with a raspberry pi/home lab server in my house over fiber (failover between them).

Deliverability concerns have me scared to use anything that’s not a proven strong success for outgoing mail and SES seems very affordable for sent emails, especially if it’s not receiving them.

Use us @ https://PretzelBox.cc! It’s built on top of AWS SES. You get an inbox for your domain so emails sent to any email address you give out sit in a bucket inside your PretzelBox.

Plus we have a few extra features like blogging from your inbox (like Hey World) and a cdn to host and share images and files.

Hi Sai,

This looks awesome! Thank you so much for building it and for reaching out here. Very glad I found it.

The biggest feature I “need” is to be able to send emails from any address on my domain even though I only want one login / one inbox. I’d like any wildcard addresses to go to that inbox as well:

So my intended workflow is:

1) Sign up at www.vendor1.com using vendor1@mydomain.com (even if this address is not already registered on my incoming mailserver)

2) Any emails sent to *@mydomain.com should just go to my single unified inbox.

3) When I send an email I’d like to be able to specify to send from runnerup@mydomain.com or vendor1@mydomain.com (or anything else for that matter). Re: Replies would ideally automatically have the sending email filled in as whatever email was used to reach me in the previous email that I’m replying to. I’d like this to be accomplished without the typical use of reply-to or alias, so that the email headers looked perfectly normal for all outgoing emails as if it were a real account.

Curious how much of this functionality your service could support. I was planning to build it all myself so I’d still be happy to build it on top of your service, as long as wildcard sending and receiving could be supported.

Finally, purely out of curiosity (it doesn’t affect my decision), what are your plans for monetizing the free users?

Also some other notes (while reiterating that I like the idea of your service and like that you reached out to me here):

- I can see one of your testimonials is from a technical woman who runs a blog at ——-@moogle.com which is also the domain linked in your HN profile. The testimonial came across as “I had my friends try this and this really was their genuine response but we ‘marketing-ized’ her response” and then seeing the same domain on your profile confirmed the initial reaction. That’s fine but eventually getting some testimonial from someone with gravitas, or just stating “our customers like x, y, z” might make it feel more genuine. The testimonial from “ Sandhya K Assistant Professor, Economics @ MDAE” worked super well, and almost could have been even higher on the splash page because it was the first thing my brain said “ah okay cool I’m starting to see exactly what this product they’re selling is, and it’s potentially right for me”

- I’d love a little animation or additional explanation about how the buckets work. Do they need to be set up ahead of time, does each ‘bucket’ count as an “account” for billing tier purposes, etc

- Pricing page isn’t immediately clear what paying $30/mo actually gets you. Having the features side by side with similar open bullets vs filled in bullets to signify “this is included, this is omitted” helps instantly figure out what the end user value prop is. This info could also be on the landing page. I get suspicious of “click here for pricing” because I worry it will make me email someone and there wont be publicly posted prices. Something about the button style for pricing on main page implies “contact us for pricing info”

- I see now on the notion blog the following verbage[0]. I’m not sure if my use case above is truly your target user story, but had I seen this blurb at the beginning of the main page is already be signed up before typing all this! It’s the perfect summary, at least for my user story.

0: > With PretzelBox, they can hand out as many email addresses they want without provisioning them upfront at no extra charge to different audiences.

> E.g., their affiliates can use *affiliates@my-business.com* while inbound sales enquiries can be handled by *sales@my-business.com.*

> The best part is the all these emails received by these different email accounts are automatically forwarded to the email account used to sign up for PretzelBox so while vendors and customers alike think they are communicating with a company with a different departments to manage different facets of their business, behind the scenes there is a far smaller team managing the show.

Thank you for the detailed response and questions!

Yes, it’s possible to send emails from whichever email you received an email on. E.g., if you receive an email at vendor@my-domain.com, you can reply from vendor@my-domain.com or optionally runnerup@my-domain.com. Of course, AWS SES manages sending reputation very carefully so email sending might involve some paperwork.

Yes, one of the testimonials is from a moogle user..and it does seem very “you-scratch-my-back-I’ll-scratch-yours”-ish but here’s the backstory. While I was ideating PretzelBox, moogle was the brand name under which I launched the blogging piece of PretzelBox.

I’ll look into your other suggestions and explain/highlight them more on the home page if possible.

I’d love to have you as a user given that we probably match 80% of your states needs. I’m available at Sai @ PretzelBox.cc if you want to follow up.

I use SES for sending + a forwarding service for receiving and the combination works well. Usually my SES bill is a few cents and AWS just waives the bill.

So that's why I never get a bill from AWS. I use SES for sending from my otherwise selfhosted mailbox and I've never received a bill.

Yeah for normal outbound email volumes SES is probably the way to go.

BTW if you don't go with PretzelBox consider the following for running mail:





I personally use maddy and it's awesome

Stay tuned. MailChannels will be announcing a free email sending option for Cloudflare Workers customers shortly. I will post it up on HN.

Not at the moment.

Just echoing the comment above. Cloudflare email forwarding would perfectly replace the free google apps that is being eliminated if it would allow sending emails as well. Even if it was heavily throttled / limited so people don't use it for transactional emails.

Try us @ https://PretzelBox.cc. Its an inbox for your domain built on top of AWS SES to send and receive emails.

Doesn’t something like Send Grid or Mailjet work?

smtp2go. I have delivery issues with Google's own services.

Top tip: if you want to try using iCloud Mail now that they support bringing your own domain, you may find yourself stuck when you realise they only support a few addresses per domain.

CloudFlare will forward all mail, so if you used to use your domain for catch-all (to see who passed your address along to spammers) this can let you keep those addresses working, which I realised I probably should if I wanted to be able to do password resets.

Totally agree. I love Cloudflare. I recommend it even for small businesses. It's easy to use and scales beautifully.

The article says:

> My issue arose when I realized that they remove your SSL certificate, then use their own. Cloudflare is a big MITM service.

All you have to do is change one setting in the DNS record (from Proxied to DNS Only) and you totally bypass the Cloudflare reverse proxy for that resource. So you can use your own SSL cert (if that's your thing). And you can still use Cloudflare access/zero trust with that resource. And solid and free DNS service. And cheap domain renewals.

Cloudflare is a great set of tools for many use cases.

Yeah, but using DNS only requires me to open a port, which is what I can't do.

I quite like being able to firewall to their IP ranges and then use client certificate auth as well. Yes it’s almost certainly overkill but it means I can be certain that all my traffic is coming via Cloudflare which gives some additional comfort.

I'm not sure if I understand your use-case, but if you want forward emails from a whole domain to your (private) address there is https://improvmx.com/

You are more than welcome to use our free products. That's what they are there for!

Whoa! One of the few CTOs that you can randomly run into on the internet, but still I have nothing to ask or tell about their service. Thank you for what you’re doing!

You're welcome!

Finally, a random HN Cloudflare thread!

How am I supposed to reach out to Cloudflare support?

If I start at cloudflare.com, and click "Support", "Contact Support", that takes me to the Cloudflare Dashboard. In the upper corner, there is "Help Center" and "Cloudflare Community". In the bottom, "Contact support". "Contact support" and "Help Center" both lead to the same page: https://support.cloudflare.com/hc/en-us ; that page has a giant "Submit a request" button on it. Clicking that takes me … back to the dashboard. I suppose there is the community, but the UI seems to imply there is a "file ticket" thing, but the UI seems broken.

Also, your RDAP implementation — is the API (not just the web UI) to it something people are free to use? Additionally, it's not quite RDAP; it doesn't conform to the RDAP RFC (RFC 9083) in the eventAction string used for expiration dates. (It calls the eventAction "Expiration Date"; the RFC calls it "expiration". Parsers are picky.)

Seems like a UI bug, yeah. After you get back to the dashboard, if you click "support" again, you go to a different page, where you can actually contact support.

For me, it ended up on this URL:


Basically, append /support to your dashboard URL.

Are you logged into your account?


HN is just that one unique place where you could run into high profile persons in random threads. Pretty amazing community.

Are you John Graham-Cumming? If so, hello and thank you for POPfile! Didn't know you worked at CF. :- )

I am. And yes, I did create POPFile (https://getpopfile.org/). And yes, I do work for Cloudflare, been there a while... https://blog.jgc.org/2012/02/programmer.html

Curious: How does Cloudflare pay for the email routing network bandwidth + hosting charges it incurs for its free services? I ask because it seems Google ran this for a decade and then found out that it is time to charge for it.

This is the most common misconception about our business. Bandwidth, when you're small. But the scale economics in bandwidth are unlike almost anything else. As you get more and more bandwidth, the cost per bit drops until, in most places, it will go to zero. If you know those dynamics are present in a market, you can forward price knowing that you'll get to those scale advantages. Today, servicing a new free customer is virtually costless to us. So, to this college-bound customer and others, welcome.

We have a lot of bandwidth for our CDN and DDoS services.

One of the hosting providers should just give this kid a $5/mo VPS in perpetuity. Call it a marketing spend. His heart is totally in the right place - I really respect the thought he's put into his options, and contemplating the downsides of modern day options. The threat model he's worried about is quite real, and I don't think we really know how bad things can get when so much data is accumulated in one place.

That said, I hope he doesn't give up the search for an alternative method, even if it's stashing a box in a hidden part of the library.

There already are tons of options for free VMs. I have 4 Oracle Cloud instances with 4 cores, 24gb RAM and 200gb disks total for this exact same use case. I suppose the author prematurely assumed all VPSs are costly or does not want to set up the networking themself.

I did a google search for "free tier vps" and sure enough, it does seem like the standard is roughly $300 in credit (AWS seems to do it differently). Which is enough for a small vps-like-thing for 5 years, or 4 large instances for a few weeks.

GCP's $300 credit is in addition to letting you run one free e2-micro instance indefinitely:


"Free Tier: All Google Cloud customers can use select Google Cloud products—like Compute Engine, Cloud Storage, and BigQuery—free of charge, within specified monthly usage limits. When you stay within the Free Tier limits, these resources are not charged against your Free Trial credits or to your Cloud Billing account's payment method after your trial ends."

I actually use the GCP free tier to run a few small things, it works really well for me!

There is a small catch though, getting a static IP for the instance is not free, and your egress traffic starts costing after you reach 1GB outgoing data use in a months time.

The cool thing is (afaict), getting a static IP and going over 1GB egress doesn't totally knock you out of the free tier, you just pay for the static IP and any data usage past 1GB. My setup ends up costing me under a dollar per month with a static IP and very light egress usage.

The performance of the machine is not great but it's also not terrible consider the cost. I pretty sure you could run a small website and some other services on it no problem.

The credit for AWS expires after 1 year. Azure credits expire in 90 days. GCP expire after 30. Whether all used or unused.

At least Oracle and GCP have always free instances, that never expire.

Actually WTF, the Oracle always free seems ludacris. I have just moved a couple of my personal projects from DO to Fly because of their amazing free tire, but Oracle's is in a completely different dimention.

Be warned that they disable free accounts at random, and support will not respond to you. There's many threads in the subreddit about this, and it also happened to me personally.

The catch is they're Arm servers, so you'll have to check if that's a match for whatever you want to run.

I have the same reaction. 4 vCPU + 24GB for free, WTF? I wonder what that's costing them.

Plus 10TB of outbound bandwidth.

That's my favorite part of Oracle's always free tier[1], in comparison to other offerings.

[1] https://docs.oracle.com/en-us/iaas/Content/FreeTier/freetier...

Yep, I switched and got a buddy over to them as well. As far as what it's costing them, cloud hosting is a high margin business and it gets them on the map I suppose. I'm hesitant to do actual business with Oracle, but if they provide competent commodity cloud hosting for cheaper than the other guys, why not?

What !! Always free ? I'll check it out

Any performance benchmarks?

you can find cheap deals on LowEndBox (not affiliated)


The thing about the threat model is that in the worst case, DDOS protection is about power -- specifically, infrastructural power. It runs in contradiction to decentralization efforts.

Well maybe it should be easier to signal every middlebox that just delivered a nasty segment that you hated that segment and want the sender never contact you again. Should be a disallowed route, with a reasonable decay. Eventually they will exhaust all possible routes to you, to the boundary of the middleboxes they can get to disregard your request.

My understanding is that this would require a change to TCP/IP itself, and NATs make this system probably unworkable in IPv4. But it would result in a truly distributed ddos protection. This also brings to mind the nightmare scenario of exponentionally larger parts of the IPv6 space hoovered up to satisfy the needs of spammers. Imagine burning 1 ip address per message!

This is the first time I've heard this idea and I love it. There should absolutely be a standard for this.

EDIT: Ok, I thought about this a bit... would it actually work? Would the packets just find another path, and actually end up using more network resources as they traverse successively longer routes?

There's a trust issue, too: how far up the chain do you propagate the signal "suspected abuse from this host"? How hard would it be to abuse this system to censor people you don't like?

>would it actually work?

I don't have a mathematical proof, just an intuition about how the graph (nodes are routers, links are routes) would change in time. Yes, the packets might find another path, at least at first, but each time the recipient signals rejection every intermediate goes dark. Eventually, the sender will be surrounded, at some radius, by dark nodes. The best case is if the bad sender is rejected very quickly.

>how far up the chain

All the way, as close to 100% as possible. I would want this to be part of TLS encrypted socket such that either side of the socket can signal unhappiness with the counterparty, and have that be respected. This should be difficult to spoof, so you'd have to pick a way to signal it within the TLS stream, and do packet inspection at the middleboxes. (I never said it would be an easy solution!)

Keyword here being "nasty". You'd need some sort of trust metric to identify malicious clients. This becomes harder with botnets that lay dormant on regular users' systems.

>Unfortunately, I doubt the tech department at the university would appreciate or allow me to poke holes in their firewall to forward 443 and 80 to my server. So how on earth am I planning on keeping my server up during this time?

When I was in college (2000-2006) you could fill out a form to request to run a server. I'm not sure how common that is today, but it's at least worth asking about.

Back in the mid 90's, everyone on my college residential network had static, public IPs, no firewalls or filtering. Different times.

The difference in different institutions of higher learning is huge.

Some have entire IPv4 subnets. Others have a grand total of three public IP addresses to distribute across every user on the campus.

Yep - my alma mater, a technical school, has a /16.

Back in the late 90's, My roommate took down a neighboring universities network for a few hours over a dispute on a bulletin board. He was a TA for the engineering department and simply walked into the library, told the person behind the counter he was a TA and needed two professors email and password credentials. He then used those credentials to hack into the neighboring universities network (not very hard either - apparently a simple dictionary attack got him in as a root user) and start wreaking havoc under these professors names.

Yes for sure different times. Still laugh about how easy it was for him to get credentials which gave him a sort of 'super user' privilege's on our own network just by having professor credentials.

We had similar things happen around here, with "elite" BBS users hacking into the local college and university CS departments to get internet access. Mostly, they just wanted to get on IRC. Typically these were Sun-3 / SunOS 4.x boxes using YP/NIS. "ypcat passwd" would get you an unshadowed password file that you could start cracking...

This was still essentially the case at my university ~3 years ago (and likely still is). There was a firewall by default, but it was a simple form to fill out to have it disabled.

True in early '00s as well, and this is why I burned a CD with the XP service pack on it; code red would infect a fresh install of XP faster than you could download the update to patch the problem...

Oh man. Service Pack 2. Now that's a name I've not heard in a long time.

This was true at my university, in the late aughts. Public IPv4 and IPv6 addresses.

… 15+ years later, and my ISP (Verizon) still hasn't caught up…

True in the early 00's as well.

Usually resulting in a Windows computer being powned before patches could even be applied: https://it.slashdot.org/story/04/08/17/1347214/survival-time...

Note: The graph url is dead.

Yes, I remember this well.

I put an unpatched Windows 2000 machine on the network, and the system logs were littered with intrusion attempts—more than 500—after being online for a few minutes.

In Sweden we don't really have the same kind of housing system you (I'm guessing US) have, but when I stayed in student housing we were hooked up directly with 1Gbit fibre to SUNET and got our own WAN IP that we could opt in (automated system, just go to a certain URL and click a button from the connection) to have all ports un-firewalled.

This was in 2014, but afaik it's been like that for the better part of the 2000s at the very least, likely the late 90s as well, though probably not gigabit at that point.

Still the case today (åtminstone på Chalmers)

My alma mater just gave each of our machines WAN IPs and the rest was up to us :) (this is recent, too. I graduated in May of '21) We could more or less host whatever, provided we followed the AUP. No need to file a request.

At my college (Rochester Institute of Technology), every device on ethernet and wifi gets assigned a public IP address from the /16 they own, with no firewall. I host my server in a club's server room. No cost or setup besides registering the MAC address, just a public IP address.

Hey, that's where I went! Guess they've continued not cracking down on unregistered servers.

This should really be at the top of the thread. It’s unclear to me if the student is making assumptions or knows about their new network. Many universities freely give out unencumbered public IPs, and/or may have VMs available for no additional cost to the student.

Awesome to see a pre-university student reading blogs on sourcehut, writing up CTF solutions, self-hosting git tea, and especially, thinking and caring deeply about a decentralized internet! Keep up the great work in Pittsburgh and beyond, we are rooting for you.

I think one of the misconceptions is about how cloudflare works.

Their networking/routing is based on cheap routing your stuff in the free tier ( eg. Assets).

This is done at the cheapest location/datacenter for cloudflare depending on usage/capacity in nearby datacenters. Performance/nearby for paying customers, cheap routing for free tiers. This helps bring usage to their underused datacenters too.

If you want to bring your own certificate, you aren't letting cloudflare decide on how to route the files and are using a direct line, circumventing costs reductions they implemented.

Because of that, i think they require you to be on the business tier, if you want to use your own certificate. Additionally, this requirement is almost solely for professional clients too.

Can someone from cloudflare correct me if I'm wrong? It's just my 2 cents.

Note: cheap doesn't mean slow. It mostly means that you won't be routed to a datacenter that is almost at capacity.

> If you want to bring your own certificate, you aren't letting cloudflare decide on how to route the files and are using a direct line, circumventing costs reductions they implemented.

I'm not sure there's any technical reason for this feature being on the paid tier. Domains on the free tier have their own SSL certificates too -- they're just certificates which Cloudflare issued internally, rather than ones provided by the customer.

Those SSL certificates are issued by cloudflare.

The route from cloudflare to the server is without ssl. So i think that makes it possible for cloudflare to cache things on the same domain, but different locations.


Since i don't think they can cache things when you use your own SSL certificate.

> The route from cloudflare to the server is without ssl.

That's a user preference, but the most common configuration uses SSL on the back-end (Cloudflare to server) connection.

> Since i don't think they can cache things when you use your own SSL certificate.

I don't see any reason why that would be the case.

Since cloudflare doesn't have the private key in this case.

Under most configurations, Cloudflare does have the private key. They act as an HTTP proxy, not a TLS proxy.

Cloudflare does support a "keyless SSL" mode [1] for enterprise customers, but this only applies to the certificate private key -- the session key for each TLS session is still under Cloudflare's control, so they still have access to the contents of the HTTPS session.

[1]: https://www.cloudflare.com/ssl/keyless-ssl/

Generally when you bring your own TLS cert to a CDN, you upload the private key to them. Then, they copy that into their infrastructure and you gain the benefits of the CDN.

If you’re not going to do that, there is no benefit to using a CDN. Just send all the traffic to your origin and run your own reverse proxy there.

> If you’re not going to do that, there is no benefit to using a CDN. Just send all the traffic to your origin and run your own reverse proxy there.

You still get DoS protection.

How to corner a market and exploit it:

- Provide a free or very cheap service without lock-in antipatterns

- Capture a large share of the market

- Create lock-in

- Extract money by charging fees or doing surveillance or leveraging market power

It's amazing how the tech crowd falls for the same tricks decade after decade after decade.

Likewise, the paid versions of Automattic, SquareSpace and co. are not cheaper than your own site with a small web host! At which point you don't have to worry about random changes of policy and interface at half a dozen services, you have email, file hosting, and a homepage in one simple service.

It seems like the OP could SSH or FTP into a server at his parents' house from campus.

What lock-in are you referring to here?

Cloudflare is not at that stage yet, but for a global Internet MiTM there are a hundred different ways to lock user in.

oracle cloud free tier gives you two small instances with public ips

it’s not limited to 1 year like aws, they say it will be free forever


A lot of us dont trust them. They want credit cards and justifications and an approval process that seems like it is one of their con-fusion Enterprise apps. It's a hit or a miss especially if you want a machine in a geography that's not in the same region as your CC.

They don’t ask you for credit card details for their Free Tier version. I know because I’ve had that for over a year now.

In fact, their free tier is designed such that you only use free services. If you want to use their paid tier, you need to explicitly upgrade. I like that because that means I’ll never run into any unexpected charges.

I had to give a CC even for the free tier. Not sure if it some dark pattern that I could have skipped and on gone on to the next step. I filled everything in, nothing really came out of it other than an email or so but account details never turned up.

Let me check once again.

Ah yes, Oracle is definitely the kind of company that will honor a promise like that. /s

Also up to 4 ARM instances, with 4 cores and 24GB(!) of RAM to split between them.

Damn, this sounds too good to be true.

I'm already abusing (not really of course, I'm within limits) of my Heroku free tier and I had something running on Openshift until they removed the free tier.

It is true, I've been using them for one and a half years now and only one time I got an email that my instance had a few minutes of downtime due to an HW failure.

I'll have to check it out. Thanks!

"Small" is relative; you've got credits that allow you to have 4 cores and 24GB mem if you don't mind running on ARM.

You also need to meet with Larry in a dark alley and sign over your soul in perpetuity, but other than that it's a great service.

Edit: To the downvoters, have you ever been through an Oracle audit? I can tell you it's "bend you over and thoroughly check out your insides" invasive enough that I will literally never again willingly work with such a company.

Honestly, I'm just looking for something I can run Wireguard on to proxy my traffic. It doesn't matter if it's ARM or not, what really matters is the public IP (IPv6 would be super cool) and lots of bandwidth.

You can buy ip tunnel services like this: https://freerangecloud.com/products.php

Hetzner. I have a similar setup for euro 2.5 per month. I dont think they offer it anymore. Now its about 3.50.

Wow, just last weekend I finally put my pet projects behind Cloudflare (they are hosted at my house). Really the only thing nagging me now is that the port is still technically open, and will respond to anyone who uses it. Yes, the IP is now hidden thanks to Cloudflare, but security through obscurity and all that.

I was going to try to whitelist Cloudflare IPs, but that seems like a rather large list that can change at any time. This tunnel thing seems perfect. Is it as simple as running some daemon on my home network and then closing the ports?

Seems to be quite stable and well-documented: https://www.cloudflare.com/ips/

Edit: but yes, the tunnel ‘thing’ is exactly that! So would be even better.

> Unfortunately, I doubt the tech department at the university would appreciate or allow me to poke holes in their firewall to forward 443 and 80 to my server.

I mean, did you ask? Tech people work there, too, and in my experience they love working on this sort of cool stuff.

Doesn't hurt to ask.

Cloudflare employee here. When I graduated from college I left a publicly exposed box (in those days we had a flat, campus-wide /16 with no NAT'ing) server running in the basement of a dorm. I think they finally removed it and the DNS A record a year and a half later :)

When I worked for a university around 1999-2000, they assigned all computers public IP addresses and would not let me install DHCP to allocate the ones for my group. How things have changed.

In a similar situation, I run a number of services I use intermittently on my home server. I debated bringing it to college, but decided to leave it at home. I can always SSH in, and should something happen that I need to be present for, I can text my family (though that hasn't happened yet). My main concern is always rebooting after I update, but I keep everything similar between my laptop and my server so I know what might break ahead of time.

Highly suggest looking into setting up Tinypilot if that is the case [1]. It transforms your Raspberry Pi into a browser-based KVM, which then plugs directly into your bare-metal server, giving you a virtual console during BIOS and boot.

[1] https://github.com/tiny-pilot/tinypilot

> I guess I also wanna say that I'm sorry Cloudflare. I realize that I'm not the target market. I am literally not giving Cloudflare any money. There is no reason they should support an esoteric and bizarre configuration that I do. But what they do, they do pretty well. So, thanks, I guess, for letting me (and probably lots of other people) run their websites and services from a NUC under their dorm's bunk bed.

No need to apologize. Happy to have you. Promise, we won't sell your data or do anything sleazy. Too easy to leave us if we did. And good luck in college!

PS - When you get a good paying job after college and they ask whether they should use Cloudflare or not, hope you'll tell them how well we treated you. That's how we get most of our multi-million dollar customers.

Looking at the 3 cited projects, I don't see anything that precludes Github Pages or similar. At first I thought they were dynamic SaaS services and wondered why he'd run those from his dorm. But as best I can tell they're not - they are landing pages and docs for open source projects (cool looking ones, btw.) Slap those up on a static site somewhere for free or really really cheap.

Glitch.com might be another option - static websites are always-on and free. If you do really need hosting, 8$/mo for 5 linux containers is a nice option. Personally that seems cheaper in the long run than running a bunch of stuff on your own hardware, network, power. Maybe even add a "buy me a coffee" badge or hit up your mailing lists for help covering hosting costs.

I might add a donate button but I doubt anyone will use it. As for static site hosting, I'm not only using static stuff. I have services like FreshRSS that won't run on a static site.

> There are many other services I am running (web-based IRC bouncer TheLounge, FreshRSS, and Keycloak, just to name a few) that won't be receptive to be run on Github Pages or whatever.

+1 for github pages. I've hosted a free static site on github for many years, and have been happy with it.

> As most of you don't know, I'm off to college soon (within a couple of months), and I'm planning on taking my server with me.

Here is the thing: you can just choose not to do that. Leave it where it is and manage it remotely.

Get a web power switch. With that, you can use its web UI to power cycle equipment.

I have a web switch that can be programmed to periodically ping equipment and power cycle certain outlets if that fails. One good target for that is your router. Routers sometimes screw up and stop routing; in that case you would have no way to get into the web power switch to manually reset anything.

Home is probably the better place for the server.

You think you have solved all the problems in advance with Cloudfare and whatnot but you have no idea. The campus network could block needed ports, or otherwise make trouble. Like, oh, accuse you of "hacking" or something. IT people in schools can be dickheads.

If you're in shared accommodations (dorm), people may have physical access to the server and tamper with it. Even just accidentally.

Plus there is the down-time of moving the server. Transportation risks.

If it's working nicely, just leave it.

I understand it's a kind of comfort blanket that your server is right there under your desk, but that's just an emotional thing you can let go.

> I'm on the free tier, so let's hope they don't upgrade me and drain my already-drained account

If you're in the US, privacy.com. Used it for years, never had an issue. Create a card, use it on whatever, then limit the card to a dollar or something. Or just pause it. Worst case, cloudflare tries to charge you 100$ and emails you when the card declines.

This, except: if you're graduating high school, there's a chance you don't have a credit history, which might result in getting banned from due to failed identity verification.

Source: my own recent experience in registering before/after obtaining a credit score. privacy.com won't confirm if this was the cause.

I have tried, but I'm not 18 yet, so I can't use privacy.com or set up donations through Liberapay.

How about the GitHub Student Developer Pack? https://education.github.com/pack

You get $100 in DigitalOcean credits. That's 20 months of hosting a VPS; plenty of time to figure out how to come up with $5 per month thereafter.

    I could reduce costs and run a minimal VM that acts as a WireGuard 
    VPN server and proxy TCP using fancy firewall rules or whatnot, 
    but that would also cost money.
I'm fairly skeptical this person can't afford ~60 $/year for a basic vps from Digitalocean to use as a public endpoint. Or maybe even less if they looked at some non-mainstream vps provider.

    This whole article was a rant about how I can't get anything good for free.
I know right? I always feel the same when I go buying groceries and surprise surprise, I have to pay before leaving. /s

On a more serious note... I'd like to tell this person that the fact they are already getting so much free stuff is the reason why they have to be and are so skeptical and cyinical about MITM, security and privacy topics.

This is about what I was thinking, there's a bunch of decent hosting services that will give you a real low-end server for $5/month. Can anybody who is currently going to college in a first-world country not afford that? There's even a few services listed in this thread that can give you a real server for free, perhaps with a little more mucking around.

You can also setup a reverse proxy using FRP to an e2-micro for free on GCP and run everything there as well

For the number of times that google has burnt people using their services. It would be a big nope for a lot of people.

I'm not sure how viable this would be since their free tier gives you 1GB of egress per month. Any overages are charged at $0.12/GB.

> I could reduce costs and run a minimal VM that acts as a WireGuard VPN server and proxy TCP using fancy firewall rules or whatnot, but that would also cost money.

I don't understand this disqualification. I've been a student, my monthly "income" at that time was probably about $800 before rent, which ate up about half. I don't see how $5 a month for a VPS is something that is unreasonable to assume you could afford, especially if you have a technical interest like this person clearly has.

> I'm about to graduate from a broke high-schooler to be a broke college student. I could reduce costs and run a minimal VM that acts as a WireGuard VPN server and proxy TCP using fancy firewall rules or whatnot, but that would also cost money.

Fellow student here. I love free tiers, but they can also be extremely frustrating. I actually prefer paying for reasonable priced services, that way you know what you're getting. For example I pay 2€/month for a 1vCPU/2GB Hetzner VPS with 20GB of storage, with 20TB of free egress (prices increased recently due to IPv4 shortage, they still charge me only 2€ however). That's about as much as a cup of coffee in CH, I can't recommend Hetzner enough. It could easily handle all traffic without Cloudflare. Having started to get a lot of spam through that domain, I'll take any protection that CF might be giving me. Also, setting up/maintaining Ubuntu from scratch has been extremely beneficial for me.

If you're limited by your location, there's nothing wrong with offloading to a VPS or running a reverse proxy. Considering you mentioned port 80/443, I imagine that a NGINX reverse proxy would be sufficient? It's basically your own mini-cloudflare proxy, only you're in control.

> I had used Cloudflare briefly before. My issue arose when I realized that they remove your SSL certificate, then use their own. Cloudflare is a big MITM service.

Why is this an issue? Any platform that serves requests on your behalf must be able to decrypt the request payload, I think any security expert would argue that having them use their own trusted certificate is much, much better than giving up the private key associated with your own certificate. Trust me, nobody (+/- 0.1%) checks the certificate when visiting your website... If they found a way to just forward on TCP packets, what useful service would they provide? A port-forwarding alternative? It's not so much a man-in-middle attack, you agree to a ToS and they provide a service. Ultimately, the DNS record is the authority on domain ownership, any server that is pointed to by the DNS record is authorised to represent that domain, and is sufficient to request a unique certificate from Let's Encrypt, for example.

> But I still don't like you.

Why not? I've been using Cloudflare for years, if only for the great DNS management panel. Of the "cloud" companies, they're my favourite. I believe Vercel use their infrastructure (they run their own datacentres), they're great to listen to on podcasts and have some interesting disruptive tech coming out, namely R2, which as a small filmmaker hobbyist, is truely a gamechanger for me. If their interests diverge from mine, I simply terminate my account and reasign the nameservers with my registrar. There's no lock-in.

>> Why not?

> I don't like the centralization of the internet. Routing everything through Cloudflare, using Amazon AWS, all of it (in my opinion at least) harms the internet by consolidating power in the hands of just a few large monoliths.

Yeah I never understood the decryption issue either. Even if you don't use them, Cloudflare offers a lot of services that do need to understand what the payload is. Its like complaining an AWS ELB needs to decrypt traffic to load balance.

To be fair, [classic] ELB's do NOT need to decrypt traffic if you're really paranoid - you can load balance on TCP. Then it's only per-socket load balancing and you lose a lot of cloudwatch insights, but if you need truly end-to-end encryption, it's an option.

I think you can do the same with NLB's. ALB's, however, have to terminate the HTTP so no choice there.

At Hetzner, 1vCPU, 2GB RAM, 20GB HDD is 4.15 euro per month.

Still a bit cheaper than AWS Lightsail.

Is there such a thing as an "email proxy"?

I want to store email on a "backend" server not exposed to the internet, and have a separate email server that interfaces with the rest of the internet and both sends outbound email (delivers emails sent from the backend) and receives email (forwards them to the backend), but doesn't store any at all. Like a forward+reverse http proxy, but for email.

There are a number of services that effectively proxy/filter (and act as the primary MX) that then can forward to your MX. But you still need to deal with going outbound, I suppose.

Yeah that's my point. If you're running your own outbound email server, you might as well run it for inbound as well. I want a "dumb email proxy" so I can forward all email through a stateless $5 VPS with a static IP and not ever need to worry about scaling or securing its storage.

For email, it's called "relay".

Any email server will can do it, it's a very basic email feature. Many services will do it for you (but a few will block it).

Exactly this. I run this setup personally: mailserver on my home PC with a relay on my Hetzner dedicated server.

The relay proxies all inbound and outbound mail, performs spam filtering but stores no mail.

I do this because my home PC's IP changes constantly, and my ISP also blocks port 25.

Relays are easy to setup, mailcow-dockerized has built in support.

The little context I can glean from the comments here makes it seem very ironic that the target site is down :)

That's not good! It's working for me and I'm running the server...

Maybe it's something on your end? I've checked the site on online services, three different networks and two different devices.

yep, works fine for me now. I am accessing from a corp IP - might be related to my blip.

Works for me

Cool product I didn't even know about. I'm going to try it out. https://www.cloudflare.com/products/tunnel/

I find it disturbing that somehow the whatever the internet is seems to consolidate to central provider because they have such advantages due to scale. Is that how everything goes? Seems weird.

Did this site get the HN hug of death? It does not respond for me.

I'm curious why the requirement was to not port forward? Seems like the author values the independence of self hosted stuff and port forwarding is a pretty common solution.

The server will be on campus internet, so they can't forward anything.

Right. Thanks. I was distracted by a coworker and should have read more carefully.

2nd line of post:

> Unfortunately, I doubt the tech department at the university would appreciate or allow me to poke holes in their firewall to forward 443 and 80 to my server

This is one of those interesting major differences between institutions of higher learning that often goes unremarked: some universities (generally the Internet first-adopters) have entire IPv4 subnets and don't firewall machines on their networks.

A machine connected to their networks is just publicly accessible by IP address.

I think he's saying he can't port forward because he lives on a university campus.

> I doubt the tech department at the university would appreciate or allow me to poke holes in their firewall to forward 443 and 80 to my server

Sound very sad if true!

No college would ever allow this. Everyone would want their own custom network config? Just doesn't scale and the support would destroy an already grumpy and overextended staff.

Tons of colleges just give you a public IP and route all traffic to you.

I wonder if someone with (or familiar with) loophole will pop in and explain how to sign up. I didn't see it anywhere on their site either.

Poking around (cause the service interests me) it looks like you use their CLI to do everything, including create an account.


> Loophole service requires authentication, this command allows you to log in or set up one in case you don't yet have it.

Yep, it creates a link with a code, then proceeds to ask me to "sign in on the web" but does not give me an option to sign up. In the Youtube videos, there's a button to "sign up" but not for me. I've tried with multiple browsers on multiple machines on multiple networks.

I just want to remind you all that Azure App Proxy is an alternative to a cloudflare tunnel. It however require an enterprise subscription

6.00 a month - 72.00 per year seems very reasonable.

The author did not mention what it would cost to get the kind of service he really wanted, without making compromises he felt bad about.

> So how on earth am I planning on keeping my server up during this time?

$4 / month cloud VPS running wireguard will do the trick.

Couldn't he ngrok the site?

Author is brilliant.

Oracle free tier?

You get what you pay for. If you’re getting something for “free”, you’re the one getting paid for.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact