The Core

Just curious if people here are using hosted reverse proxies for anything (as opposed to local RPs like Varnish and Squid).

I've been putting some small, low-traffic sites on Cloudflare and Incapsula and trying to get a high-traffic client to consider Yottaa. I wonder what experiences people have had if any and what pitfalls or successes you've had with hosted reverse proxy services.

As for me, just using the free level or trials at Cloudflare and Incapsula, here's my take

Cloudflare

Pros

• Super easy to use - five minute setup
• Works with "naked" domains - i.e. without www
• excellent DNS management. I had been using Moniker's nameservers and they have a crap interface and they also only allow a few tags (A, CNAME, MX, TXT) whereas Cloudflare is pleasant to use and has every tag I've wanted
• Geo-distributed Anycast DNS
• geo-distributed CDN
• bot/spammer filtering - cuts down on bandwidth

Cons

• No idea how many false positives on the spammer blocking. You can adjust the settings and more or less turn it off. People IDed as spammers/threats get a warning screen asking them to send a msg to the webmaster, but realistically, who is going to do that?
• Not everyone is going to want to let Cloudflare manage their DNS

Incapsula

Pros

• Better stats than Cloudflare, but still no way to measure false positives
• Same firewall/filtering advantages as Cloudflare

Cons

• Can only manage CNAME records, so effectively it can't do anything for you if you serve your site from a naked domain and, if you try it, it will kind of jack your site (fortunately, the test site only earns about $50/month or, rather, zero during the Incapsula test!)
• Just not as simple and easy as Cloudflare.

Yottaa

Pros

• Pretty much everything that Cloudflare offers and then some
• Technically competent staff a phone call away
• Next gen optimization compared to Cloudflare - Yottaa will do things like inline small images in CSS with Base64 encoding, resize and cache images for various viewport sizes for responsive sites, tunable minification of JS and CSS etc

Cons

• Premium pricing

I'll be curious if the client has the budget for Yottaa (about $200/month) and decide to try it, it will be interesting to see what kind of speed up they can get. There may be other services out there like Yottaa, but I haven't see anyone with quite their level of custom optimization and willingness to tune a site over time.

My primary reason for the sites I've used it on is testing.

The site that I'm testing *for* right now has plenty of server capacity, but some slow response times in foreign locales, so it would be the CDN aspect and the bandwidth optimization for front-end speed that would be primarily attractive.

That said, having tested on low-traffic sites that have no real need of the load balancing per se, I do like Cloudflare.

Like I say, it's the easiest DNS management interface I've used and since it's on the proxy itself, the TTL is under five minutes.

The reverse proxy is also really easy to use if you remember it's there - I was troubleshooting a page layout issue and it took me 20 minutes to realize that it wasn't changing because it was serving a cached version. That in itself was a good test - it was basically transparent. But it's easy to flush the cache, flush a file or tell Cloudflare to bypass the reverse proxy and serve your site uncached.

And then there's the firewall, and this gets to the nub of my question. What I like is that comment spam goes way down. I have it set to "low" meaning only to block the absolute worst offenders (overwhelmingly Chinese IPs). But I do wonder if legit visitors are getting caught in that trap. It has happened to me on one occasion that I was presented with a Cloudflare challenge page.

Oh, one other "con" I forget to mention in my top post is that if you want PCI compliance, you need two certs for every domain - one for the Cloudflare IP for that domain and one for the main server. So managing your SSL certs becomes a bit more complex. If you want basic SSL for admin login areas you need to bump up to a "pro" plan ($20/mo for the first site, $5/site thereafter), though I suppose you could set up a CNAME like secure.example.com that would not be managed by CF. I'm not sure how that would work... should work though.

At that point it's a tough call. Let's say you're running five small sites on a underpowered VPS. Now you're looking at $40/month for Cloudflare. If you put that money toward your VPS...

 - at VPSLatch it takes you from 1GB to 4GB of memory
 - at Digital Ocean it takes you from 4GB/2 cores to 8GB/4 cores

So I think it works best for
 - sites that have modest traffic and can live without SSL
 - site that really need the "Railgun" optimization and all that

We're using Cloudflare on a couple of projects.  Best results are on a 1.3 million pages/month.  The big win for us was in it providing a very fast and easy way to reduce both bandwidth consumption and most importantly server load.

This particular site is a bit old and rather poorly put together. Traffic was reaching a point where the poorly written code (some of which was close to 10 years old) was causing queries to pile up and slow things down.  Cloudflare let us lift that load in 5 minutes, which was a great win (although we've spent a bit more time tweaking that set-up since).   Long term this isn't the correct solution for this project, but it's working well at the moment.

Not aware of any issues with false positives, but probably wouldn't be.

I just put CloudFlare on an old website that hasn't been updated in years, but has an open web form that attracts spam. I've taken Akismet off the form. Let's see what CloudFlare does.

I'm debating throwing off the CPanel training wheels, but for the moment, my hosting is all on CPanel which means no IPv6, so I thought I'd enable the Cloudflare IPv6 option... we'll see what, if anything, happens.

I'm not sure there's any advantage to ipv6 right now, but thought it would be good to see how Cloudflare's option worked - so far it tests out fine (meaning services that test ipv6 compatibility tell me everything is A-OK)

Our site is a cpanel site.  Not having any issues.

You mean with Cloudflare ipv6? You shouldn't be having issues with that. The impetus behind the Cloudflare ipv6 was in fact to allow people who have ipv4 servers to offer ipv6.

But CPanel/WHM itself is not ipv6-ready. They promised it for 2012, but didn't make it. Now they say it's a priority for 2013, but say

Support for IPv6 is prioritized for delivery during 2013. Adding support for this protocol requires making fundamental changes to cPanel & WHM.

src: http://features.cpanel.net/responses/as-a-server-administrator-i-want-ipv6-support-so-that-i-can-deal-with-the-limited-allocation-of-ipv4-address#comment-2252

Anyway, the other limitations of CPanel are things like you can't really upgrade OpenSSL and CPanel is stuck on a version that does not allow SNI (multiple SSL/TLS certs on a single IP)

CloudFlare was doing a pretty good job of keeping my forms free of spam comments...until March 1. My host moved my account to a new server as a part of planned maintenance, but just prior to the move the old server crashed and they restored an old copy of my sites. I'm not clear whether it was the site move or the recent CloudFlare issues, but I'm getting spam comments again, and I can't seem to stop them even with an update of my CloudFlare security settings to High.

Thanks Bill. That's useful. I haven't had anything like that. Strangely, I've been getting a lot of Webmaster Tools "site not accessible" errors for a site that is not on Cloudflare, but a site on the same hosting account that is using Cloudflare is doing fine.

Honestly, though, I've been too busy since March 1 to even look at the stats on any of these sites, so... I should probably do that now.