Hacking cloudflare

CloudFlare – Bad timing, great service, and a hack discovered

Update: I spent the morning debugging the issues I mentioned below with CloudFlare, and was stunned by two things:

Firstly, the service from CloudFlare was amazing! As I was leaving the service I sent them a note to let them know what had happened. Less than an hour later I got a thoughtful and thorough response. I replied, and while waiting for a reply I dug into the Internet Explorer issue I was seeing.

This was my second shock – I’ll post full details soon, but the short version is – my site was hacked. It was only a coincidence that I noticed it the day I made the switch to CloudFlare, but my site breaking in Internet Explorer was what tipped me off. This likely had something to do with both the lower click through rate for ads, as well as the Russian showing up in my Google ads.

So kudos to CloudFlare for the great customer service (Seriously, I was blown away by the responsive and thoughtful answers!), I’ll give them another try, and post a review that isn’t plagued with the unfortunate coincidence of my site being hacked.

Old thoughts on CloudFlare – Please see update above

There are days when I regret my propensity to try out the latest new service with my production web sites. Yet I still do it. I jumped into EC2 before I’d fully solved the performance issues I was seeing with the Micro instance, and then got too frustrated to continue tinkering and upgraded to the small size instance. And yesterday I tried out CloudFlare – the service is full of tantalizing promise, yet in my very brief experience has some really big problems for any blog running AdSense – that’s just about all blogs, right?

I first stumbled upon CloudFlare when I noticed a new setting in the W3 Total Cache plugin that I use on many of my websites. I could choose to integrate with a service called CloudFlare. Intrigued, I took a look at their website (and somewhat cheesy videos describing what their service does). In a nutshell, when you configure your DNS name servers to point to CloudFlare, it sits between your users and your website, doing a host of interesting things. Firstly it acts like a CDN, caching copies of your website and distributing to edge nodes. For this to work I can only imagine that they regularly update their cache, but I didn’t try the service long enough to find out. It also allows you to see traffic from bots, web crawlers and anywhere else that Google Analytics won’t pick up on because it requires javascript to load. And finally, CloudFlare helps prevent bad traffic from consuming resources by throttling traffic from bots while letting legitimate traffic through.

The CDN functionality itself wasn’t that intriguing for me, since I use Amazon CloudFront with many sites already – but I can see the strong appeal for someone who isn’t already setup with a CDN. It’s WAY easier to setup CloudFlare than CloudFront, in my opinion. What was most interesting for me, was some visibility into traffic coming from non-user sources. I could probably find a tool that did this with my site logs, but … I haven’t really had the time or inclination to go hunting for this set of tools. And CloudFlare seemed like an easy way to try it out.

Boy, was I wrong. Checking on my website stats the next day I noticed two things: The speed hadn’t improved at all according to Google Analytics, and the click through rate for AdSense ads had dropped dramatically. It appears that CloudFlare does something to AdSense ads that removes their contextual relevance and makes Google think the website is Russian – at least the text Google shows in the ad block indicated this when it said ‘Реклама от Google’ instead of ‘Ads by Google’.

Even as promising as the security and performance features appeared, I’m not willing to accept a 50%+ reduction in AdSense revenue for this. And switching back has been an absolute nightmare. Stale DNS entries prevent the page from loading sometimes, and IE seems to have a new, yet to be determined issue that prevents it from correctly rendering half of the page. It also appears that now when I activate the W3 Total Cache plugin I get ‘website temporarily unavailable’ errors – the only thing I can think of is that there are some lingering effects of integrating with CloudFlare from W3 Total Cache. ARG!

While I struggle to understand the IE issue, the biggest lesson I learnt from all of this – Set a short TTL on your domain name servers before changing them. Today as I was returning everything back to how it was it took hours for the DNS changes to propagate. This can be decidedly frustrating when trying to debug issues.

So all in all – CloudFlare was an interesting experiment, but proceed with caution if you use AdSense on your website.