Cloudflare … A Great Service and Company

There’s not a lot of large IT companies that I respect for their approach to cybersecurity, but Cloudflare is an exception. They are a…

Cloudflare … A Great Service and Company

There’s not a lot of large IT companies that I fully respect for their approach to cybersecurity, but Cloudflare is an exception. They are a great company that is driven by technical people and who have strong beliefs around privacy and in improving the Web. I especially love their approach to improving cryptography, and they lead in quite a few areas.

And so, after trying to defend against bots and malicious activity on my site, I flipped the switch and moved my front-end security and content delivery to Cloudflare. With just the free service, it works like a dream, and there’s an instant improvement in the delivery of the content (which will come from a cache rather than from the Web site). But it is the security options, where Cloudflare really kicks in.

My main Web site is hosted in AWS, and I looked into creating a firewall within AWS, but it was just too expensive. I also run my DNS from the AWS Route 53 service. The way that Cloudflare works is that you hand over the DNS requests to them, and they will then proxy the connection, and examine the request. In this way, we use Cloudflare certificate for the connection, and then the normal connection onto the main site. The changes to the DNS settings were:

In Figure 1, Bob requests asecuritysite.com, and Cloudflare returns the address of their proxy. The connection made is then with an SSL connection to the proxy. Cloudflare can then examine the contents of the URI, and decide whether to block or not. If it does not block, it sends the connection onto the server and uses the digital certificate of the server.

Figure 1

For firewall rules, Cloudflare provides up to five rules for the free site, and then 20 for the Professional subscription:

The rules themselves are powerful and provide filtering on most of the fields within the request, such as for the full URI or with the URI Query String. The action can then be block or accept, along with a JavaScript or Capta challenge. These challenges aim to defeat robot agents. In the following we have a block if any part of the URI query string matches “xxx” or “php”:

Once set up, it is then possible to view the details of the action. In this case, a bot is trying to inject a Web link into the URI:

Along with security, Cloudflare provides CDN (Content Delivery Network), and where previously access content will be delivered from the Cloudflare network and near the requester, rather than sourcing from the server. We can see here that much of the content has been sourced from the cache, rather than from the server:

This type of caching often makes the access to content much faster.

Conclusions

Cloudflare is a great cryptography company, and have a deep belief in privacy and in improving the Web. For a free service, their product is first class, and has enough functionality for many small businesses to start on.

I was also lucky to speak to Nick Sullivan, the Head of Research at Cloudflare, too: