The Faustian Bargain Called Cloudflare

Aykhan Shahsuvarov

Aykhan Shahsuvarov

2 min read
Share
The Faustian Bargain Called Cloudflare

You should probably stop using Cloudflare.

Why?

  • Single point of failure
  • Limits everywhere: request size, duration, you name it (yes, even on premium)
  • You'll never know what actually happens to your requests
  • You're handing over way too much information
  • One shitty Rust unwrap() can take your whole website down with it

If these reasons aren't enough, keep reading, tough guy.

So why does everyone use Cloudflare?

Because it's stupidly easy. Add a DNS record, enable the proxy, and that's it. Now you've got auto TLS, bot protection, caching, and metrics. But none of these things are hard to set up and manage on your own anymore.

TLS

caddy, traefik, nginx, all of them ship with native ACME support. No certbot, no extra bullshit.

Metrics

Your reverse proxy probably already exports logs and metrics. And if it isn't, good news, it's usually a one-line config away. And once you do? You'll have way more data than Cloudflare ever gave you. You haven't even seen how many useful Grafana dashboards you can build from your reverse proxy's metrics and logs alone. Go search, you'll be surprised. Request counts, response status codes, detailed response times, TLS expiration dates, and a lot more.

Bot protection

Yeah, you guessed right: CrowdSec. Why?

  • Massive shared IP blocklist, fed by basically everyone running it.
  • Easy to create your own IP lists or grab existing ones from the internet.
  • Open-source and self-hostable, so you can build much more detailed protection rules than Cloudflare's basic rate limiters.

Captcha

Pick an independent captcha provider. Seriously, use different providers for different services. That way you don't end up with a single point of failure, and you can swap any one of them out without your entire infrastructure falling over. It's absolute nonsense that you'd have to find a new captcha provider just because you want to change your DNS provider. Stay away from "everything-apps".

What you end up with

A system that keeps running when your bot protection goes down. Keeps running when your captcha provider has a bad day. Has the exact limits you set, not the ones some company decided for you. And metrics that make Cloudflare's dashboard look like a toy.

"But this is gonna take forever, right?"

Auto TLS? Zero time. It's literally already in your reverse proxy, waiting for you.

Metrics? Okay, yeah, you'll have to set up Grafana or something. But there are already a million ready-made dashboard configs for every major reverse proxy out there (nginx, caddy, traefik, take your pick).

Bot protection and captcha are probably the biggest time sinks in the whole stack. But trust me, it's worth it. Knowing exactly what you're blocking and what you're letting through is genuinely valuable.

So yeah, does all this take more time than just using Cloudflare? Absolutely. We can't beat the one second it takes to click Cloudflare's "enable proxy" button. That's probably what Faust thought too, right before he sold his soul in a second.

Read more