WebP Cloud Services' Exploration in De-Cloudflaring
这篇文章有简体中文版本,在: WebP Cloud Services 在去 Cloudflare 化上的一点摸索
Vendor lock-in, literally translated as “supplier lock-in,” is translated as “vendor trap” on Wikipedia.
In economics, vendor lock-in, also known as proprietary lock-in or customer lock-in, makes a customer dependent on a vendor for products, unable to use another vendor without substantial switching costs.
Cloudflare’s products are excellent and are often referred to as the “Cyber Buddha.” We also use a lot of Cloudflare’s products and have shared many articles, such as:
- “WebP Cloud uses Cloudflare Workers to fetch content from the origin server in order to protect the origin server and start providing origin fetch time information.”
- “Using Cloudflare Workers at the edge to enable services to source data from nearby locations – reducing global average latency.”
- “WebP Cloud uses Cloudflare Workers to fetch content from the origin server in order to protect the origin server and start providing origin fetch time information.”
However, as our integration with Cloudflare deepens and we see more and more people going all-in on Cloudflare, we have also been considering some “de-Cloudflare” solutions internally, especially after seeing some… not-so-friendly cases, such as:
- Cloudflare took down our website after trying to force us to pay 120k$ within 24h
- Cloudflare took down our website | Hacker News
- Ok, Cloudflare I am leaving | Hacker News
- Small SaaS banned by Cloudflare after 4 years of being paying customer | Hacker News
- Ask HN: Has Cloudflare blocked your domain without explaining what’s going on? | Hacker News
- Tell HN: Don’t Use Cloudflare | Hacker News
Especially as WebP Cloud is a small SaaS service that overlaps with some of Cloudflare’s businesses, we cannot accept long downtimes caused by Cloudflare suddenly cutting us off. We also understand that Cloudflare’s ToS has always been ambiguous about non-Cloudflare-hosted products (e.g., Images/Stream/R2) that serve almost purely image traffic:
Finally, we made it clear that customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2.
Video and large files hosted outside of Cloudflare will still be restricted on our CDN
Goodbye, section 2.8 and hello to Cloudflare’s new terms of service
Since our business (which also includes many image hosting services that are not hosted by Cloudflare but use Cloudflare as a CDN) is in this strange gray area, and in an era where everyone is talking about how to “freeload Cloudflare,” we also want to voice some different opinions.
WebP Cloud Services Infra
At WebP Cloud Services, the functionalities we have tied to Cloudflare are as follows:
- NS services (our domains
webp.se,webp.fi,webp.li,webp.ee,webp.sh(wow, we have so manywebpdomains 🤣) - Websites (including but not limited to:
- Blog https://blog.webp.se
- Website https://webp.se
- Public Services website https://public.webp.se
- Documentation sites https://docs.webp.se and https://docs.webp.sh
- WebP Cloud Dashboard https://dashboard.webp.se
- Workers (used for Public Services partition origin and WebP Cloud service origin)
- WAF (with some custom rules we wrote)
- CDN (mainly SSL-managed reverse proxy)
- Custom Domain (WebP Cloud’s business)
NS Services
NS services are actually the most troublesome part because the global announcement of NS records may last at least 48 hours. If Cloudflare suddenly pauses our NS resolution, we need to immediately migrate the NS resolution from the domain registrar to our backup options.
We rehearsed this step with a currently unused domain and kept a complete operation document.
Websites
Currently, our website code is hosted on GitHub. When there are changes to the master branch, Cloudflare Pages automatically pulls the latest commit to build and go live. To prevent Cloudflare Pages from suddenly failing or pausing our service, we added Dockerfile to all website repositories and set up GitHub Actions to automatically build images for each master branch.
For easy management, each of our websites is an independent/complete/stateless image, for example: the image for https://blog.webp.se is ghcr.io/webp-pt/blog.webp.se:latest, and the startup method is very simple, with no external dependencies:
version: '3'
services:
blog:
image: ghcr.io/webp-pt/blog.webp.se:latest
ports:
- "4001:80"
dashboard:
image: ghcr.io/webp-pt/dashboard.webp.se:latest
ports:
- "4002:80"
...
We just need to write the Nginx rules and reverse proxy the corresponding domain to the corresponding service. We have already completed this step and kept a complete operation document. If there is a problem, we just need to modify the DNS records to switch.
CDN & WAF
The difficulty here lies in SSL management and preventing the exposure of the origin server. Since we have a load balancer with a public IP in Hetzner (currently Cloudflare resolves to the load balancer address).
The difficulty here is maintaining a usable SSL certificate. Fortunately, with certbot, we can directly generate certificates while Cloudflare is still providing us with services:
certbot certonly --agree-tos --dns-cloudflare --dns-cloudflare-credentials ./cloudflare.ini -d *.webp.se -d webp.se -d *.webp.li -d webp.li -d *.webp.ee -d webp.ee -d *.webp.fi -d webp.fi --work-dir /root/ssl --logs-dir /root/ssl --config-dir /root/ssl
After obtaining the certificate, we can directly upload it to Hetzner via API (https://docs.hetzner.cloud/#certificates-update-a-certificate).
Although we no longer have the local access provided by Cloudflare CDN, we can still ensure normal service in two availability zones (US and Germany). Of course, access speed for users in Mainland China may slow down.
We rewrote some WAF rules into Nginx rules. We are well aware that this is far less effective than at Cloudflare’s network edge, but it’s better than nothing.
Workers
This is the most troublesome part for us because it is a proprietary Cloudflare product, fitting the definition of vendor-lock-in.
We have investigated some AWS solutions, such as Lambda@Edge, but found them unsatisfactory.
So if Workers are unavailable, our services will change as follows:
Public Services (public Gravatar/GitHub avatar service) will shift from multi-region to US single-region (currently, according to data, the US node usage rate is higher than the German node)
If you are curious about how this service achieves local origin through Workers, feel free to refer to “Using Cloudflare Workers to bring services closer to the edge—reducing global average latency”
WebP Cloud origin will fallback to using commercial VPN origin
Custom Domain
We currently use Cloudflare for SaaS for Custom Domain. We only need to maintain state synchronization between the program and Cloudflare to achieve Custom Domain access (we will share more detailed records in a separate blog post).
If we don’t use this solution, we need to package programs like certbot to generate certificates and provide services for custom domains. We are still in internal PoC for this solution.
The above is a bit of our WebP Cloud Services team’s exploration and documentation on moving away from Cloudflare. We hope it can provide some ideas for those with similar thoughts and offer some inspiration to those who are mindlessly all-in on Cloudflare.
The WebP Cloud Services team is a small team of three individuals from Shanghai and Helsingborg. Since we are not funded and have no profit pressure, we remain committed to doing what we believe is right. We strive to do our best within the scope of our resources and capabilities. We also engage in various activities without affecting the services we provide to the public, and we continuously explore novel ideas in our products.
If you find this service interesting, feel free to log in to the WebP Cloud Dashboard to experience it. If you’re curious about other magical features it offers, take a look at our WebP Cloud Services Docs. We hope everyone enjoys using it!
Discuss on Hacker News