Their value proposition is completely absurd ("protect websites from hacking"), yet they're still around and get quite a bit of seemingly expensive PR-spin like this article.
Who pays for the "accidental CDN" that, according to the article, pushes as much traffic as the 10th largest website on the internet? Their optional $20/mo subscription plan can't possibly cover that.
I think that you have to look at how CloudFlare is billing itself. It's a simple solution for people who want to have a faster website. It's easier to implement than most other caching or CDN and that $20 plan is likely limited to sites under X amount of traffic.
The company is only sitting on around $2 mm in funding (if memory serves me) so it's either making a decent sum of money from people who find value in that accidental CDN or it's going to fizzle out quickly due to lack of funds.
The thing that you have to keep in mind is that (likely) the vast majority of its customers aren't on the same level of technological prowess that you have. CloudFlare is aimed at people who run sites and just want them to be easier to run while working better and being safer. There's a lot of money to be had from a service that can fulfill that request.
Oh, and as for the expensive PR-spin, this is the first time I've heard from CloudFlare in 8 months, even after specifically asking them to get in touch with me. If I'm not mistaken, the company has done very little PR. They've gotten attention in a way that many people seem to have forgotten -- by having a good product.
Nice to see you on HN; I was wondering if you had any comment in regard to the huge surge in attention (mostly great reviews, from what I've seen) thanks to LulzSec using your service?
Like many others, I hadn't heard of CloudFlare until it started showing up all over Twitter (and the Internet in general) in relation to LulzSec.
I'm glad you guys got some nice exposure, and I might start using your service myself soon!
Given the choice, I may not have picked Public Enemy Number One as the poster child for CloudFlare's service. It does, however, remind me of the old Range Rover commercial talking about the great London bank heist. "The robbers thought of everything," the commercial concluded. "That's why, for their getaway vehicle, they chose a Range Rover."
regarding "limited to sites under 'x' amount of traffic", I just inquired to CloudFlare on that exact question yesterday and received this response:
"Some of the biggest sites on CloudFlare do well over 10M page views per day."
Given the current plans are FREE and $20/mo, it would see that there is not a limit at this point.
I also inquired regarding the Enterprise services and was told it is strictly a matter of additional features being made available, not related to traffic or usage.
> Who pays for the "accidental CDN" that, according to the article, pushes as much traffic as the 10th largest website on the internet? Their optional $20/mo subscription plan can't possibly cover that.
They use VigLink to add affiliate tags to the external links of the sites that use them.
Somewhat offtopic, but why do affiliate programs go along with this? If it's a link that was already going to Amazon, then adding the tag brought in no new business and CloudFront does not deserve a cut.
You mean CloudFlare. CloudFront is Amazon's CDN service :-)
For Amazon at least, intercepting and tagging URLs is in violation of the Associates agreement, and if detected Amazon will not pay these fraudulent commission claims.
If the URLs are being tagged with the Associates account of the web page owner, then this auto-tagging is a CMS feature, which is reasonable.
If the URLs being tagged are content created by NOT the website owners (like, say, forum posts), then we might be back in fraud territory.
"They use VigLink to add affiliate tags to the external links of the sites that use them."
This is actually an optional service (Outbound Links) that can be turned on or off (opt-in by default). No affiliate links are added without turning the feature on.
I have a site that gets ~12 visitors/day and I make about $55/mo through that site all from the Amazon Associates program.
Referring someone through an Amazon link doesn't just credit you if they purchase that product you linked to - it credits you for any purchases they make during the cookied period. And for the whole amount of the checkout.
A couple months ago I made over $150 with that same amount of traffic because someone bought a MacBook Air (~$50 in commission), some fancy espresso maker (~$20) and a bunch of other things. Amazon has mastered the art of the upsell.
I don't think it's completely absurd. Of course it won't protect you against a determined attacker, but it can protect against some of the low hanging fruit... stuff like web form spam, email address harvesters, known XSS / SQL injection / WordPress vulnerability du jour.
Then there's a CDN / caching aspect. If you don't want to bother configuring your own cache servers they'll handle it for you. It sounds like they even try to figure out what's static content even if you don't set your cache headers properly, which is slightly risky but probably ok for a lot of configurations.
When you operate at the DNS level, you get to do all kinds of cool things with site traffic. Cloudflare started with a value proposition based on security, but low-cost hardware and advent of cloud technologies have allowed them to easily expand their offering to CDN and apps.
They are freemium because they need to collect as much traffic data as possible to learn to identify threats. Same reasoning as Akismet spam filtering started out with. They also have enterprise level plans, which probably drive more revenue.
Plus, they are only 7 months old. Kinda early to be hatin', no?
Similar to many other companies operating on the internet these days, CloudFlare operates on a freemium model (free vs paid products). We also have some other opportunities to make money with other product integrations & will be launching enterprise products in the future.
Can you explain your technology more directly? Your web site doesn't have a lot of technical detail, perhaps because people who would understand the technical details aren't your target audience.
For the HN crowd, understanding what pieces are in play would help a great deal. I figure it's probably a nice cache + CDN service?
I'll admit that I don't get your security claims -- it seems like entirely the wrong layer to deal with security issues.
Sure. At a high level: We run out of 12 data centers scattered around the world (Singapore, Hong Kong, Tokyo, Los Angeles, San Jose, Dallas, Chicago, New York, Ashburn, Paris, Amsterdam, and Frankfurt). We use Anycast (listen to the same IP out of multiple locations) as well as GeoIP DNS in order to route a request from a visitor to the website to the nearest data center. In each data center we run a reverse proxy that does full inspection (down to Layer 7) of each request looking for threat signatures. The data centers also run caching where we automatically detect static objects that make up a website and store them to be closer to the visitor. Requests for objects that are not cached are passed back to the origin server. The origin server's response passes back through CloudFlare's proxy, which can scan, analyze, and rewrite the content without blocking delivery.
This is so helpful and interesting! I've been intrigued by yall since I saw your sign in the old SocialMedia building in PA, but figured you were just scareware because the descriptions on your web site are so fluffy.
It would be awesome if this explanation was on there under "technical details" or something.
Cloudflare is amazing and I pay for it. I'm sure enough people feel the same way that they can at least continue to get funding rounds while the business model develops.
Oh, don't forget that they can also probably make a good amount of money selling aggregate data and statistics (like Mint).
I doubt I'm your target market, so feel free to ignore me, but do you have a page that explains what you're really offering minus all the marketing hand waving? It sounds like it might be interesting but it's difficult to wade through the 10,000 ft view stuff.
For example, I just picked this mouseover that interested me:
The threat challenge page stops known threats and alerts infected humans that they need to take action.
Is there anything that elaborates on that? From a security perspective, I'm drawing a blank as to what a reverse proxy filter is achieving there. You're rewriting html destined for ddos zombies?
If a threat is detected (either because the IP has a bad reputation, or a request contains a malicious payload) then, depending on your security settings, instead of the request being passed to your web server it is answered by the proxy. The answer is a web page that, again depending on your security settings and the type of threat, includes a CAPTCHA. If the visitor passes the CAPTCHA then their session is marked as valid and they're allowed to pass through the proxy unhindered.
The nature of the system is that we're seeing data across tens of thousands of websites so we get smarter as we grow larger. We have a birdseye view into overall flow patterns and can spot attacks that are very difficult to see if you're only looking at your own logs from your own sites. For example, if the same IP hits multiple, unrelated CloudFlare websites then it is an indication that it is some kind of automated crawler. We can then look at whether it comes from a known, legitimate entity (e.g., Google) and also watch its behavior for other characteristics that indicate it may be a threat.
The chances are pretty low a scraper would hit multiple unrelated Cloudflare websites since Cloudflare is only used in very very few websites... Scrapers usually are interested in particular websites, they dun just scrape random sites.
What other characteristics can you detect? Can't really look at IP address, since ISPs such as AOL use the same IP address for the same user. Can't look at headers or referral strings since those can easily be faked. Also search engines such as Google have been known to use non-Google IP's to check if a site is cloaking or not. And you say you analyze the reputation of an IP - IP addresses for users change all the time. And many scrapers do use data farms/cloud services such as AWS, but a lot are moving to European data servers as well, and these IP addresses are harder to get reputation for (they're not in ARIN, etc).
I have been running my site through it for some time now as well as testing an uptime monitoring script via Google App Engine someone on Reddit wrote.
If anyone is interested in the very limited data, it is at http://isitupordown.appspot.com/v/urbad with "ActualServer" being the VPS itself, and CDNCache being CloudFlare.
I saw this article and took the plunge on one of my sites. It took the standard time for the DNS to update and I was up and running shortly after. It maintains all of your MX records, etc and I did see a jump on Google Page Speed Score (went from 81-87) after installing.
One of the side benefits was their one click "apps" where you can install Google Analytics, etc and manage it from one place.
I did have one question that I didn't see a clear answer for. If I am using Amazon's Cloudfront for many of my images, how does the Pro account handle the caching of these seemingly conflicting services?
Not having heard of the service before, am I correct as characterizing this product as a WAF (web application firewall)? That also as a consequence of its architecture acts as proxy/CDN for its customers?
I think I understand how it works -- and they have an option for installing a firewall on your server (htaccess file?) that will block any traffic that didn't come from them. That's optional, and I'd imagine that if you didn't use it you could be SQL injected right around this service by the attacker using your server's IP address.
But I'm going to hook up my nearlyfreespeech.net sites up and see how things go.
I use cloudflare and I LOVE THEM.
My site serves up tons of static content and thought I'd offer some specs. Previously, I had been considering moving all my static content to the rackspace CDN, but thought I'd give Cloudflare a whirl.
Since configuring with cloudflare on May 26th, I've had 26,133 page views, 368 from crawlers and 755 from bots.
Without cloudflare my average page load time is 2.66 seconds. With cloudflare my time is 1.55 (my google pagespeed score is 97/100: http://bit.ly/k3MDGk)
Out of 125,183 total requests, 72,405 have been saved by cloudflare.
10GB of bandwidth has been served since that time and 4.9 has been saved.
Cloudflare makes my site 41% faster as well.
I was getting hit with a lot of exploit attacks, mainly from China, so I was glad to see I could block by IP, IP Range and Country in their Threat control Panel. I'm aware that's not a foolproof method but it helps.
I remember signing up for the beta of this service not really understanding how it worked and was pretty weirded out when it asked me to point my DNS to their server.
No, it isn't hosting because you still keep your hosting provider when using CloudFlare. The DNS switch is at your registrar, which is an entirely separate issue than hosting.
Example:
1. Registrar could be GoDaddy.
2. Hosting is at BlueHost.
Adding CloudFlare would mean:
1. Change authoritative nameservers at GoDaddy to us.
2. Hosting doesn't change at BlueHost.
CloudFlare is reverse proxy. You keep your existing hosting provider. It's just like how Postini, MX Logic, or MessageLabs stopped email spam via a change to DNS.
We use NGINX as our underlying platform, but have extensively extended it for our purposes. We actively contribute back to the NGINX open source community where there are developments we've made we think may be useful.
Sorry, but what/how exacly are you actively contributing? Other than yesterday's naive port of mod_pagespeed, I didn't find any of your contributions and you make it sound like something you're doing on the regular basis.
Don't get me wrong, I love the idea of your product from the very beginning, but don't say that you do things when you don't.
Yes, one of our engineers contributed a his work on a native port of mod_pagespeed two days ago. We have made a number of other contributions along the way as well, most of which aren't nearly as sexy as the one you pointed out. And we'll continue to do so.
Their value proposition is completely absurd ("protect websites from hacking"), yet they're still around and get quite a bit of seemingly expensive PR-spin like this article.
Who pays for the "accidental CDN" that, according to the article, pushes as much traffic as the 10th largest website on the internet? Their optional $20/mo subscription plan can't possibly cover that.