May 1, 2012

752 words 4 mins read

Using Cloudflare to keep sites fast & secure

Cloudflare is a <a href="” title=[wiki] Content delivery network">CDN, site optimizer, and security product all rolled into one. The main feature that is of use to me (and most people, I presume) is the CDN portion which some have called a “poor man’s Akamai". Cloudflare sits in front of your website and acts like a caching layer spread out across 14 global edge nodes. This means your site should be “fast” everywhere in the world, rather than just within 3,000 miles of your server. I’ve been using it for a few sites over the last couple of years and so far I’ve had good experiences with the service. It being free (with a premium option) has definitely helped.

The setup of Cloudflare is a little bit more complex than most services because you need to change your DNS. They do, however, make this process about as painless as possible. First you start out by signing up for a new account and then you put in your domain name. At this point you get a nice minute long tutorial video while Cloudflare reads your existing DNS records. For a service that does not have access to

AXFR, it is rather accurate (though I’ve noticed it will leave some records out for more complex domains). You verify that Cloudflare’s DNS has all your records (add/edit/delete as you like) and then you just need to change your Name servers to Cloudflare. After that it is just a waiting game.

As soon as your domain is up and running with Cloudflare, you’ll notice absolutely no changes… except possibly that your site loads faster. You can at any point begin to tinker with the security and CDN settings. The security comes in “Essentially Off”, “Low”, “Medium”, and “High” — each level getting progressively more paranoid. The default is medium and I’ve never had any issues with that, but if “hits = money” then you might want to turn down the security level. On the other hand some sites I run care more about the security, and we’ve turned up the security to High.

The CDN settings are equally as simple; they come in “CDN Only”, “CDN + Basic Optimization”, and “CDN + Full Optimization”. One would think that turning the caching up the maximum is a Good Thing™, but as with security, there are trade offs. “CDN Only” is safe, your site runs like it would normally, but from the CDN edge. Once you start adding the optimization you get faster load times by doing things like minify’ing scripts and asynchronous loading of Javascript — all cool features, but it requires testing. Especially the the asynchronous javascript loads which can tool over some more complicated scripts, WordPress features, WYSIWYG editors, and the like.

Beyond these basic features Cloudflare gives you a lot of cool additional features, though some require you to pay. One of the cool features I’ve seen is their Flexible SSL, just pay for a pro account and they’ll let you turn on SSL — no certificates or anything else required (great for blocking things like Firesheep, but not 100% secure unless you’ve done SSL on the route from your site to Cloudflare). There is also a decent collection of “Apps” that you can install on your site. These apps do everything from inserting Google Analytics automatically, adding ExceptionHub for your Javascript, Pingdom Site monitoring, and even Fight Censorship. The last feature of note is the inclusion of Analytics in Cloudflare itself. It gives you a basic idea of how the site is doing, what sort of traffic you are getting, how many bad people are getting blocked, etc.

As I’ve said, I’ve had a good experience with Cloudflare. I do not currently use it on, but I do run it on a number of my smaller sites and the sites of my clients. I have yet to hear of any complaints from them or their clients. A little research will find a number of people with similar good experiences, some who use it only lightly, and a few not so happy former users. Just googling “Cloudflare review” came up with mostly positive results; I had to go out of my way to find the negative (by googling “Cloudflare sucks”) — which is telling to me. No one is ever going to be 100% happy with a service, however, given that all the critical features (CDN, Security, and Optimization) are all 100% free… it’s hard to go wrong at least giving it a try.