Ask HN: What's a good open-source alternative to Cloudflare?
Been a fan of cloudflare for a while but am having second thoughts about such a centralized service with so many lock in mechanisms. What options are out there? (open source would be great!) Looking at features like DNS, DoS protection, basic WAF, CDN...etc
68 comments
The value of CloudFlare comes from its network, not the software they run. You can hack together a caching reverse proxy (intentionally oversimplified) pretty easily, but it won't be "CloudFlare".
In fact you can just use nginx. Cloudflare itself used it for a long time (although heavily modified) and nginx will give you most of the features Cloudflare had until 1-2 years ago. You'd still need the network though.
Can I setup DoS protection, basic WAF on the free Nginx? If so, any resources to do the same would be appreciated.
Certainly, https://docs.nginx.com/nginx-waf/
> The value of CloudFlare comes from its network, not the software they run.
this is, as the kids say, a *MOAT*. you could leak the entire source of cloudflare and cloudflare's value would be unaffected.
this is, as the kids say, a *MOAT*. you could leak the entire source of cloudflare and cloudflare's value would be unaffected.
Even the Worker runtime is open-source now: https://github.com/cloudflare/workerd
I use their pages services to handle CI/CD but also to run edge functions (lightweight server side stuff near to the user) with their keystore product.
They're definitely more than a CDN these days.
They're definitely more than a CDN these days.
Ok then let's ask another question. Is there a real competitor to Cloudflare ?
Just about any cloud counts.
Debating exactly how many data centers one needs to be "edge" instead of "cloud" is pretty silly. Ask what latency you need between your software and the customer, and then ask what providers can supply that.
(Of course, AWS egress transfer rates may be too costly, but that's not about "edge". https://blog.cloudflare.com/aws-egregious-egress/)
Debating exactly how many data centers one needs to be "edge" instead of "cloud" is pretty silly. Ask what latency you need between your software and the customer, and then ask what providers can supply that.
(Of course, AWS egress transfer rates may be too costly, but that's not about "edge". https://blog.cloudflare.com/aws-egregious-egress/)
It will depend on your use case.
For an average site, that just wants basic CDN facilities (cache assets; maybe do some rule processing to control cache of "dynamic" pages etc) there are dozens.
The issue comes in a few of the niche uses.
A client of mine has been using CF for the public site for several years, but until recently used S3 + Cloudfront for content that users download (essentially purchased digital files). That content is now also served via Cloudflare, using tokens (similar to pre-signed URLs for Cloudfront, so the cache can validate that a user should have access to a file).
CF don't cache all the downloadable content (anything over 512MB is excluded from caching unless you pay for Enterpri$e level plan) but they also don't have per-{m,g,t}byte transfer pricing either.
This is obviously not a problem for a lot of use-cases, but for anyone offering downloadable content, or large volumes of network traffic, it's going to be hard to find a CDN that can compete on price with Cloudflare.
For an average site, that just wants basic CDN facilities (cache assets; maybe do some rule processing to control cache of "dynamic" pages etc) there are dozens.
The issue comes in a few of the niche uses.
A client of mine has been using CF for the public site for several years, but until recently used S3 + Cloudfront for content that users download (essentially purchased digital files). That content is now also served via Cloudflare, using tokens (similar to pre-signed URLs for Cloudfront, so the cache can validate that a user should have access to a file).
CF don't cache all the downloadable content (anything over 512MB is excluded from caching unless you pay for Enterpri$e level plan) but they also don't have per-{m,g,t}byte transfer pricing either.
This is obviously not a problem for a lot of use-cases, but for anyone offering downloadable content, or large volumes of network traffic, it's going to be hard to find a CDN that can compete on price with Cloudflare.
Fastly is great.
It's not neccessarily about code being open source or not: you can pretty much run a wide and large proxy network for any of the services using run of the mill free software.
This means that to prevent all of the issues, you need a huge overprovisioned network. So to make economics work, you'd have to become one of the largest networks in the world, and thus serve lots of clients, making you again a "centralized" service.
This means that to prevent all of the issues, you need a huge overprovisioned network. So to make economics work, you'd have to become one of the largest networks in the world, and thus serve lots of clients, making you again a "centralized" service.
CDNs are mostly about having large numbers of servers in convinent locations not software. The software is the easy part.
That said, wikipedia documents its CDN setup which is all open source at https://wikitech.wikimedia.org/wiki/Caching_overview which might be of interest to you.
That said, wikipedia documents its CDN setup which is all open source at https://wikitech.wikimedia.org/wiki/Caching_overview which might be of interest to you.
One thing I really appreciate about Wikimedia is the openness and quality of documentation for their infrastructure (which can be found at https://wikitech.wikimedia.org/wiki/Wikimedia_infrastructure).
It's an excellent resource for anyone curious to learn about their systems. I wish more organizations would embrace transparency and open-source principles as much as Wikimedia does.
It's an excellent resource for anyone curious to learn about their systems. I wish more organizations would embrace transparency and open-source principles as much as Wikimedia does.
What would it even mean to be an open source Cloudflare? The entire point of Cloudflare is that they run the tricky stuff for you. As another user said here, you can use nginx and lots of other OSS to achieve the same end goals. You will work much harder for it though.
# rant
I thought about this for a solid 15 minutes. What really is an open source of version of Cloudflare? That leads into the question of what is really Cloudflare.
An enterprise that has built something so huge that the idea it represents can not be separated from the service (as a whole) they provide. That is like saying what is the open source alternative to I don't know....Intel or Oracle. It not only covers a suite of offering that is impossible to replicate, but rather the complexity of each component of their entire service suite.
How the heck are you supposed to do open source CDN?
Then you take a step back and the question again, which still doesn't make any sense. "Open source alternative to Cloudflare". The question is supposed to be "What represents the open source alternative to what Cloudflare's XYZ does".
CDN, a network that is designed to deliver content... and needs to be open source. P2P systems? Torrenting? Some weird blockchain stuff? Are they CDN? I have no clue. You end up compromising in the definition of the service Cloudflare provides to pick something because it is supposed to be Open Source. You go down the list of each service Cloudflare with your own Open Source twist and you end up with a web service that more and more represents the Web 1.0 and arguably not reliable. What are you compromising at that point? Open source becomes an agenda rather than a solution.
Cloudflare isn't a software company, you are essentially paying them for the hardware they are carrying in their network/portfolio. They are not Open Source-able.
I thought about this for a solid 15 minutes. What really is an open source of version of Cloudflare? That leads into the question of what is really Cloudflare.
An enterprise that has built something so huge that the idea it represents can not be separated from the service (as a whole) they provide. That is like saying what is the open source alternative to I don't know....Intel or Oracle. It not only covers a suite of offering that is impossible to replicate, but rather the complexity of each component of their entire service suite.
How the heck are you supposed to do open source CDN?
Then you take a step back and the question again, which still doesn't make any sense. "Open source alternative to Cloudflare". The question is supposed to be "What represents the open source alternative to what Cloudflare's XYZ does".
CDN, a network that is designed to deliver content... and needs to be open source. P2P systems? Torrenting? Some weird blockchain stuff? Are they CDN? I have no clue. You end up compromising in the definition of the service Cloudflare provides to pick something because it is supposed to be Open Source. You go down the list of each service Cloudflare with your own Open Source twist and you end up with a web service that more and more represents the Web 1.0 and arguably not reliable. What are you compromising at that point? Open source becomes an agenda rather than a solution.
Cloudflare isn't a software company, you are essentially paying them for the hardware they are carrying in their network/portfolio. They are not Open Source-able.
Now you made me think for solid 15 mins. What is an open source Intel? Intel has two or three large categories, depending on how you look at it. First the manufacturing arm, that is the trickiest to pin. Open source manufacturing doesn't really make sense, but we do have some fabs and initiatives which have an open PDK[1] and provide technology as a service. I think that is the closest you are going to get.
Then we have their chip architecture, I think RISC-V at least gives us an open ISA but I am not aware of fully open implementations. Then there is the various software Intel provides, everything from drivers to MKL. There are some open source versions of them here and there.
So can we have an open source Intel? Yes, but not in this world. Mostly because they do physical things. And I think that loops us back to CDNs because thats the point with them too.
[1]
Then we have their chip architecture, I think RISC-V at least gives us an open ISA but I am not aware of fully open implementations. Then there is the various software Intel provides, everything from drivers to MKL. There are some open source versions of them here and there.
So can we have an open source Intel? Yes, but not in this world. Mostly because they do physical things. And I think that loops us back to CDNs because thats the point with them too.
[1]
The accumulation of services is silly, but it hits every company trying to sell to "enterprises".
Quick, how many products/services does AWS have?
Quick, how many products/services does AWS have?
It's hard to develop an accurate mental model of complete software/hardware technology stacks. Developers work with a lot of black box software offerings and begin to think of every component as just some software implementation they need to interface with.
I guess I'm just wondering how I could piecemeal it together without using cloudflare. A friend had suggested checking out bunny DNS and that got me going down the rabbit hole.
That’s not really what a CDN is/does…
The value proposition of a CDN is being physically closer to customers around the world, which means renting space in (often) expensive carrier hotels.
Yes yes all the major CDNs have loads of developer and infrastructure wizbangs to keep you on their platform but that’s not the fundamental value.
The value proposition of a CDN is being physically closer to customers around the world, which means renting space in (often) expensive carrier hotels.
Yes yes all the major CDNs have loads of developer and infrastructure wizbangs to keep you on their platform but that’s not the fundamental value.
It's like trying to build an "Open Source Gas Station chain".
Yes, you can hack up a storage container and a pump with "open source" bits, but that's not what makes it useful.
What makes it useful is the fact that there is a $chain Gas Station in every nook and cranny. And that's not something openness can change.
Yes, you can hack up a storage container and a pump with "open source" bits, but that's not what makes it useful.
What makes it useful is the fact that there is a $chain Gas Station in every nook and cranny. And that's not something openness can change.
To butcher your an analogy, an open source gas station chain would be a publicly an available light rail; one that replaces driving for many citizens along the route.
Openness helps kill off rent seekers. This might be the deeper concept that sits behind the original authors question.
Openness helps kill off rent seekers. This might be the deeper concept that sits behind the original authors question.
>What would it even mean to be an open source Cloudflare?
Free-as-in-beer to use everything, shaggy underdog social status, community of free-as-in-beer contributors to leech off of, keeping your teeth clean with some of that floss, and bonus points if you can stick trendy words like "federated" and "AI" in there.
Free-as-in-beer to use everything, shaggy underdog social status, community of free-as-in-beer contributors to leech off of, keeping your teeth clean with some of that floss, and bonus points if you can stick trendy words like "federated" and "AI" in there.
If you just want to run a cache locally, varnish or nginx w/ cache module. But Cloudflare’s value add isn’t their cache by itself, it’s their network of caches in 200+ locations around the world to keep content closest to users. That’s the part where you have to have huge scale before it makes sense to try and run your own CDN - it’s a full time job. Giving Cloudflare $20 a month or $200 a month is worth it. If you want A cache but not necessarily Cloudflare’s cache, AWS Cloudfront has a free tier w/ 1 TB of egress a month last I checked - that’s very aggressive pricing. Cloudflare doesn’t have any egress cost at all until you get to enterprise but they heavily restrict features at the lower tiers - might be an issue if you need cache TTLs lower then 24 hours. I’m a big proponent of micro-caching so that part of Cloudflare runs against my designs sometimes. Cloudfront has no such limitations.
Building your own DDOS protection and CDN will involve a lot of devops bandwidth in ensuring both low latency and high availability. You may need to negotiate good rates with your ISP/VPS/Cloud for network bandwidth. It will also involve keeping in sync with security fixes and the state of the art in terms of bot protection, etc. If this use case is not a core part of your business, it will be better to bite the bullet and go ahead with a 3rd party solution like Cloudflare / AWS Cloudfront + WAF + Route 53 / Google Cloud Armor / Fastly
Openresty with a few Nginx modules and Lua scripts can go a long way for many use-cases mentioned:
- ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity
- L7 Rate limiting: https://github.com/openresty/lua-resty-limit-traffic
- Cache: https://github.com/ledgetech/ledge . Or use varnish which gives you VCL for high configurability
- Load balancing: https://github.com/openresty/lua-resty-balancer
- CDN: https://github.com/taythebot/lightpath . This project seems to be a WIP which you can use as a starting point for your needs. You will also need to find good enough "edge" locations for your CDN.
Similarly, HAProxy does a lot of stuff with the correct config and is also extensible using Lua:
- Some basic DOS protection: https://www.sysbee.net/blog/haproxy-sysadmins-swiss-army-kni...
- L7 DDoS protection: https://github.com/mora9715/haproxy_ddos_protector
You can run your own authoritative DNS server using either djbdns or nsd. Or use AWS Route 53.
Ultimately, it will involve (a lot of) glue code/config depending on what solution you go ahead with.
Openresty with a few Nginx modules and Lua scripts can go a long way for many use-cases mentioned:
- ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity
- L7 Rate limiting: https://github.com/openresty/lua-resty-limit-traffic
- Cache: https://github.com/ledgetech/ledge . Or use varnish which gives you VCL for high configurability
- Load balancing: https://github.com/openresty/lua-resty-balancer
- CDN: https://github.com/taythebot/lightpath . This project seems to be a WIP which you can use as a starting point for your needs. You will also need to find good enough "edge" locations for your CDN.
Similarly, HAProxy does a lot of stuff with the correct config and is also extensible using Lua:
- Some basic DOS protection: https://www.sysbee.net/blog/haproxy-sysadmins-swiss-army-kni...
- L7 DDoS protection: https://github.com/mora9715/haproxy_ddos_protector
You can run your own authoritative DNS server using either djbdns or nsd. Or use AWS Route 53.
Ultimately, it will involve (a lot of) glue code/config depending on what solution you go ahead with.
> ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity
This might be of interest to some: https://www.modsecurity.org/
> Trustwave is announcing the End-of-Life (EOL) of our support for ModSecurity effective July 1, 2024. We will then hand over the maintenance of ModSecurity code back to the open-source community.
Probably not too big of a deal, though.
Also, this might be useful: https://owasp.org/www-project-modsecurity-core-rule-set/
Though there has been some critique of ModSecurity and that ruleset in the past, as something dated and with false positives.
Anyone have any good alternatives?
This might be of interest to some: https://www.modsecurity.org/
> Trustwave is announcing the End-of-Life (EOL) of our support for ModSecurity effective July 1, 2024. We will then hand over the maintenance of ModSecurity code back to the open-source community.
Probably not too big of a deal, though.
Also, this might be useful: https://owasp.org/www-project-modsecurity-core-rule-set/
Though there has been some critique of ModSecurity and that ruleset in the past, as something dated and with false positives.
Anyone have any good alternatives?
Couldn't agree more.
I've been loving cloudflare since the very, very, beginning, but a few little red flags the past couple years have me wanting to find an alternative as well.
Thank you for asking this.
I've been loving cloudflare since the very, very, beginning, but a few little red flags the past couple years have me wanting to find an alternative as well.
Thank you for asking this.
Hate to ask if this is obvious, but what are said red flags from the past couple years IYO?
They essentially have MITM capabilities over a significant portion of the web, undermining TLS security. They have a tendency to deny access to normal users using privacy-friendly setups (Tor, without Javascript, etc), and them operating in net loss (implying that the shareholders value growth, i.e. gobbling up even more of the internet infrastructure). Some people are also concerned about their emerging ability as a powerful force for censorship and surveillance, but they seem to have maintained a good stance on free speech so far (not sure about surveillance). Cloudflare threatens the nature of the web as a somewhat decentralized system, although it is not the only one doing that.
They essentially have MITM capabilities over a significant portion of the web, undermining TLS security
Cloudflare is on them edge of your infrastructure. It's not in the middle of your service's infra and the user. It's not undermining TLS security because you are explicitly sharing the decrypted data with cloudflare to let them cache and protect your site.
>They have a tendency to deny access to normal users using privacy-friendly setups (Tor, without Javascript, etc)
To protect yourself against a bad actor you will need to fingerprint them and then imposes restrictions on them. People who are using privacy friendly setups look like they are trying not to be fingerprinted or have a shady fingerprint. By getting rid of a unique fingerprint that Cloudflare can learn to trust you end up always looking suspicious. Cloudflare did develop privacy pass to give these people a better experience when accessing websites protected by Cloudflare.
>and them operating in net loss (implying that the shareholders value growth, i.e. gobbling up even more of the internet infrastructure).
There are many competing CDNs. Most web traffic doesn't even use Cloudflare. There is still plenty of room for Cloudflare to grow.
>Some people are also concerned about their emerging ability as a powerful force for censorship and surveillance
This is a problem in general with internet service providers. ISPs can just decided not to peer with you or just null route your IPs. Cloudflare is less of a problem compared to major consumer facing ISPs.
>Cloudflare threatens the nature of the web as a somewhat decentralized system
So do DDoS attacks. If the small guy can't keep a site online like the big guys can that leads to a less decentralized web.
Cloudflare is on them edge of your infrastructure. It's not in the middle of your service's infra and the user. It's not undermining TLS security because you are explicitly sharing the decrypted data with cloudflare to let them cache and protect your site.
>They have a tendency to deny access to normal users using privacy-friendly setups (Tor, without Javascript, etc)
To protect yourself against a bad actor you will need to fingerprint them and then imposes restrictions on them. People who are using privacy friendly setups look like they are trying not to be fingerprinted or have a shady fingerprint. By getting rid of a unique fingerprint that Cloudflare can learn to trust you end up always looking suspicious. Cloudflare did develop privacy pass to give these people a better experience when accessing websites protected by Cloudflare.
>and them operating in net loss (implying that the shareholders value growth, i.e. gobbling up even more of the internet infrastructure).
There are many competing CDNs. Most web traffic doesn't even use Cloudflare. There is still plenty of room for Cloudflare to grow.
>Some people are also concerned about their emerging ability as a powerful force for censorship and surveillance
This is a problem in general with internet service providers. ISPs can just decided not to peer with you or just null route your IPs. Cloudflare is less of a problem compared to major consumer facing ISPs.
>Cloudflare threatens the nature of the web as a somewhat decentralized system
So do DDoS attacks. If the small guy can't keep a site online like the big guys can that leads to a less decentralized web.
> They essentially have MITM capabilities over a significant portion of the web, undermining TLS security.
There's actually some work being done to make CDNs not able to MITM the origin.
https://web.dev/signed-exchanges/
https://developer.chrome.com/blog/signed-exchanges/
Also, it's pretty common to use cloud X's load balancing service(/serverless product/etc) when hosting on cloud X, thus giving AWS/GoogleCloud/Azure similar MITM capabilities.
There's actually some work being done to make CDNs not able to MITM the origin.
https://web.dev/signed-exchanges/
https://developer.chrome.com/blog/signed-exchanges/
Also, it's pretty common to use cloud X's load balancing service(/serverless product/etc) when hosting on cloud X, thus giving AWS/GoogleCloud/Azure similar MITM capabilities.
As a website owner, pretty much all traffic I see from Tor is malicious. I also block it outright now, it decreased bad traffic by a lot. So I can understand the decision of CF here. The problem is not Cloudflare or Tor, it's the people abusing Tor.
It happens even when you don't use Tor. It gradually creeps up in frequency the more privacy-friendly settings you use. You get stopped on a bunch of websites nowadays forcing you to run their proprietary JavaScript just to identify and track you to ensure you are not a robot.
> websites nowadays forcing you to run their proprietary JavaScript just to identify and track you to ensure you are not a robot.
Well yes, this is a good thing. The vast majority of human-made websites aim at serving humans, not unverified bots.
Well yes, this is a good thing. The vast majority of human-made websites aim at serving humans, not unverified bots.
> they seem to have maintained a good stance on free speech so far
good by who's definition? because there are plenty of people who hate cloudflare for flip flopping on nazi sites and will also heap that hate on just regular SWEs who join cloudflare who dont really have anything to do with those decisions.
good by who's definition? because there are plenty of people who hate cloudflare for flip flopping on nazi sites and will also heap that hate on just regular SWEs who join cloudflare who dont really have anything to do with those decisions.
They’re a backdoor access point for the US government.
Things like CDN and DoS protection: you'll need to operate massive networks and machines distributed around the globe.
Until someone creates a well-thought decentralized CF alternative from the ground up, which solves bad actor, slow and unstable node problems, with clever incentives, et cetera et cetera, we'll be stuck with centralized solutions.
Until someone creates a well-thought decentralized CF alternative from the ground up, which solves bad actor, slow and unstable node problems, with clever incentives, et cetera et cetera, we'll be stuck with centralized solutions.
Decentralized solutions here don't really make sense. CFs entire value proposition is around being close enough to users you can shave something like 20ms off your latency.
P2P is a lot of things, but latency optimized is definitely not it. Things like DHT involve lots of hops, you also can't control the quality of nodes.
P2P is a lot of things, but latency optimized is definitely not it. Things like DHT involve lots of hops, you also can't control the quality of nodes.
This is a unique case where it could make sense... if the value proposition is having a server in every region/city, then a decentralized solution could work. A blockchain is slow and problematic but if you could incentivize "seeders" to be the entire file, you could get that regionalization. It'd never work because you'd need to handle the routing, and you can't practically do that safely. I'd never open my domain to be hosted by a variety of 3rd parties.
The value proposition isn't just a server in every city, but a highly optimized reliable low latency server.
I understand why you thought of blockchain when i said p2p has bad latency. Blockchain of course has latency that is beyond terrible, but that is not what i was thinking of. I was thinking of bit torrent. Bit torrent is amazingly fast for a bulk download once it gets going, but is really slow to get going. Even just figuring out which nodes have your files is unacceptably slow for this usecase with the current distributed technologies (DHT). CDN is all about serving small static files with very low latency. P2P simply involves too many layers of indirection to work for that use case. I also don't see a way around it without centralizing things.
As far as security goes. Its actually not that bad and largely a solved problem using combinations of digital signatures and hashes. (Preventing DoS is a bit trickier although i think there are solutions for that albeit probably ones that prevent using geolocated nodes)
I understand why you thought of blockchain when i said p2p has bad latency. Blockchain of course has latency that is beyond terrible, but that is not what i was thinking of. I was thinking of bit torrent. Bit torrent is amazingly fast for a bulk download once it gets going, but is really slow to get going. Even just figuring out which nodes have your files is unacceptably slow for this usecase with the current distributed technologies (DHT). CDN is all about serving small static files with very low latency. P2P simply involves too many layers of indirection to work for that use case. I also don't see a way around it without centralizing things.
As far as security goes. Its actually not that bad and largely a solved problem using combinations of digital signatures and hashes. (Preventing DoS is a bit trickier although i think there are solutions for that albeit probably ones that prevent using geolocated nodes)
It has some small latency but only when resources are spread across many different infos. If you can constrain your resources to a single DHT traversal, it's pretty quick. I run several services that stream from BitTorrent on demand, using https://github.com/anacrolix/torrent which are surprisingly quick to start. However it does choke up when you try to start many different resources at once, which multiplies horizontally the number of DHT traversals, and per-torrent related overhead to get started.
It is solvable, but any solution that spreads resources out across many different targets in the DHT is slow. Basically anything that was inspired by BitTorrent, but isn't BitTorrent itself does this, because they get overly excited by deduplication of data.
It is solvable, but any solution that spreads resources out across many different targets in the DHT is slow. Basically anything that was inspired by BitTorrent, but isn't BitTorrent itself does this, because they get overly excited by deduplication of data.
Pretty quick is not good enough for this use case. I imagine even a single dht traversal is an order of magnitude too slow.
CDNs try and solve the "speed of light is too slow" problem. To make sense they have to respond to queries faster than a central server would (or a small number of geodistributed servers would). Otherwise the CDN does not bring value.
DHT traversal is usually log(n) in number of nodes. It seems unlikely that will ever be fast enough to compete with just hosting your stuff in one central data center even if your data center is on the opposite side of the earth.
This is a use case where 20ms can determine if the solution makes sense or not.
CDNs try and solve the "speed of light is too slow" problem. To make sense they have to respond to queries faster than a central server would (or a small number of geodistributed servers would). Otherwise the CDN does not bring value.
DHT traversal is usually log(n) in number of nodes. It seems unlikely that will ever be fast enough to compete with just hosting your stuff in one central data center even if your data center is on the opposite side of the earth.
This is a use case where 20ms can determine if the solution makes sense or not.
That's fair. In this instance DHT traversal is equivalent to a really slow DNS lookup. I really don't think you can expect better than 2-3s in the BitTorrent implementation, and 5-10s on average.
For many of the features that Cloudflare provides you need an autonomous system (AS) in order to be able to run border gateway protocol (BGP). That gives control over the routing, so that traffic is met by regional servers and infrastructure. If that sounds costly it's because it is.
You can block and throttle my country with any ol' server like CloudFlare. The tricky part is making sure folks using privacy-oriented setups get dozens of hCAPTCHAs. /s
As others have mentioned your question doesn’t cleanly map to what a “cdn” really is these days. The minimal requirements for even the most basic content distribution cache or NS setup is pretty significant in time and capex. In my experience as much effort goes in to operations and “control plane” management as the “dataplane” software that serves requests.
What I haven’t seen others mention, and is a literal open source CDN, Is Coral CDN. I’m not sure if it’s a going concern anymore, but it was a plausibly useful academic project circa 2005-15. I believe to ubiquity and accessibility of very cheap commercial offerings, and the ratcheting improvements in commercial CDN tech, really put Coral “out of business” by 2013 or so. http://dsrg.pdos.csail.mit.edu/2013/07/18/coralcdn/
Disclosure: principal at AWS, used to work on CloudFront and Route 53. Opinions are my own and do not reflect my employer or any proprietary information.
What I haven’t seen others mention, and is a literal open source CDN, Is Coral CDN. I’m not sure if it’s a going concern anymore, but it was a plausibly useful academic project circa 2005-15. I believe to ubiquity and accessibility of very cheap commercial offerings, and the ratcheting improvements in commercial CDN tech, really put Coral “out of business” by 2013 or so. http://dsrg.pdos.csail.mit.edu/2013/07/18/coralcdn/
Disclosure: principal at AWS, used to work on CloudFront and Route 53. Opinions are my own and do not reflect my employer or any proprietary information.
there are a million of cdn providers(bunny and beluga are among the cheapest). that is not an issue. even though it's not going to be free, at least you will no longer be the product. they are not reverse proxies like CF but changing links on your web is not that complicated.
and every data center has a hardware ddos protection, you don't need a service for that if you use good web or server hosting provider.
cloudflare is not really that special. the reason normal people even know the name CF is because it was free. not because of what it provided.
and after they started censoring, there is no reason to keep using their services. they screwed themselves over by doing that. sooner or later they will stop being normies favourite and become purely corporate service.
and every data center has a hardware ddos protection, you don't need a service for that if you use good web or server hosting provider.
cloudflare is not really that special. the reason normal people even know the name CF is because it was free. not because of what it provided.
and after they started censoring, there is no reason to keep using their services. they screwed themselves over by doing that. sooner or later they will stop being normies favourite and become purely corporate service.
Cloudflare is more a combination of software and distributed networking resources.
you need a lot of tools to replace cloudflare, there is authelia, bind, ngix, traefik.
I dont think you can have any sort of DoS protection if your ISP cuts off your internet if you're beign attacked...
I dont think you can have any sort of DoS protection if your ISP cuts off your internet if you're beign attacked...
To be fair many cloud providers offer some kind of DDoS protection to their customers.
I would focus on the CDN part first and foremost. Maybe read up on CloudFront, Fastly and BunnyCDN. They can all be replacement’s for Cloudflare’s CDN.
The closest thing i can think of is ngnix - if i remember correctly, cloudflare built their business on top of ngnix in early days
“Just” run ngnix on your own servers from different geo locations. ngnix is very versatile, eg, load balancing, rate limiting, rule based firewall, caching…
but one important reason why saas/api/cloud businesses exist is that people don’t want to run their own servers for every project.
“Just” run ngnix on your own servers from different geo locations. ngnix is very versatile, eg, load balancing, rate limiting, rule based firewall, caching…
but one important reason why saas/api/cloud businesses exist is that people don’t want to run their own servers for every project.
Alternatively a company offering similar service as cloudflare but located in a more privacy friendly jurisdiction would also be interesting.
By their nature, CDNs and DDoS mitigation require many endpoints near your traffic sources, in their jurisdictions. Cloudflare would be useless for serving to US users if they weren't willing to cooperate with the USG.
Probably something like IPFS ( https://en.wikipedia.org/wiki/InterPlanetary_File_System ) or BitTorrent. However i do not know if there is a system that would support direct http(s) access.
(D)DoS protection is not a single software, in my mind it's a group of tech and network configuration...It's just that Cloudflare makes it in one click so you look it's easy.
Not ready yet, but the IPVM (inter-planetary virtual machine) similar to IPFS might be a good fit for such use cases in the future
NGINX? You want to self-host DDOS protection?
Cloudflare has a outflow pipe to US gov. Just like the rest of US based services. So if you are doing anything unsocietal as the currents define it then best not to use US based services. You can alternatively use China based cloud offerings as they wont share data with the US gov for obvious reasons.
You can achieve the same protection by knowing your endpoints and infrastructure and then banning anything with an unacceptable delta of traffic difference.(asp vs php, wordpress vulnerability bots, etc) If you have multiple servers you share the ufw firewall lists among them in real time unless you want to ban higher up the stack.
The DOS protection might be harder to emulate. But at that point something is out to specifically get you anyways.
Just wait it out or move to another domain or ip.
You can achieve the same protection by knowing your endpoints and infrastructure and then banning anything with an unacceptable delta of traffic difference.(asp vs php, wordpress vulnerability bots, etc) If you have multiple servers you share the ufw firewall lists among them in real time unless you want to ban higher up the stack.
The DOS protection might be harder to emulate. But at that point something is out to specifically get you anyways.
Just wait it out or move to another domain or ip.
This question is so nonsensical it almost makes me angry...
Cloudflare has become somewhat of a necessary evil. At this point, due to the sheer amount of resources and level of effort required to set up an equivalent infrastructure, they’re effectively a monopoly. Personally, I hate that and I wish the alternative was feasible, but realistically, if you need Cloudflare-level protection, you’re basically stuck with them.
This is just becoming a self-sustaining HN meme. Have you actually ever looked at alternatives in serious depth or is this just an echo chamber?
Any idea how many companies in the Fortune 500 use, say, Akamai Prolexic instead? Or other vendors?
Any idea how many companies in the Fortune 500 use, say, Akamai Prolexic instead? Or other vendors?
> Any idea how many companies in the Fortune 500 use, say, Akamai Prolexic instead? Or other vendors?
Not to mention the big public cloud vendors like AWS, GCP and Azure that have their own CDNs too.
Not to mention the big public cloud vendors like AWS, GCP and Azure that have their own CDNs too.
are they really an "Evil" though?
most solutions which are not federated, eventually give the owning company incentives to not play along further nicely, and become some shade of evil.
Of course evil is in the eye of the beholder, most probably it's just money dynamics and its implications.
Of course evil is in the eye of the beholder, most probably it's just money dynamics and its implications.