[1B05H1N]

I work in application/product security and have managed WAFs for multi-billion dollar companies for many many years.

Move DNS to Cloudflare and put a few WAF rules on your site (managed challenge if bot score less than 2 / attack score == x). I doubt you'll even pay anything, and it will resolve a lot of your problems. Just test it before moving it to production please (maybe setup a test domain). Remember, a WAF is not an end-all be all, it's more of a band-aid. If you app isn't hardened to handle attacks, no amount of advanced WAF/bot protection will save it.

Message/email me if you need help.

[CharlesW]

I was unfamiliar with this, so for anyone who's in a similar position: https://blog.cloudflare.com/waf-for-everyone/

The Free Managed Ruleset appears to be deployed by default, and Cloudflare keeps a changelog here: https://developers.cloudflare.com/waf/change-log

[93n]

Selfhoster here. I use mutual TLS rules with CloudFlare's WAF to filter out everyone but my known-good callers. Works great. Since the only folks with access are my family, it was pretty easy to setup as well (everyone gets a unique cert that I can revoke if need be).

[asabla]

Usually I only manage internal facing applications these days, which makes the attack surface greatly reduced compare to public ones.

But since you seem to have a lot of knowledge in this area. Have you manage solutions which also includes infrastructure in Azure combined with Cloudflare?

And if so, any suggestions on things people usually miss? except for the usual stuff of OWASP and what not

[cloudking]

This works well for standard WordPress sites, throw in GuardGiant and Sucuri plugins for extra layers.

[ozim]

Putting WAF on app and calling it a day is indeed putting lipstick on a pig.

I can imagine that might be needed if some company for some reason has to run some not really up to date stuff but yeah it is just a bandaid.

[418tpot]

[flagged]

[dang]

Can you please not post in the flamewar style? It's not what this site is for, and destroys what it is for.

You're welcome to make your substantive points thoughtfully but it needs to be within the rules. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

[chaxor]

Agreed

We should be suggesting self hosted and decentralized solutions to website hosting and file hosting.

On that note, does anyone have any secure methods of providing serving a file from your computer to anyone with a phone/computer that doesn't require them downloading/installing something new? Just a password or something? Magic-wormhole almost seems great, but it requires the client to install wormhole (on a computer, not phone), and then type specific commands along with the password.

Is there a simple `iroh serve myfile.file` from server and then client goes to https://some.domain.iroh/a086c07f862bbe839c928fce8749 and types in a password/ticket you give them?

That would be wonderful.

[albuic]

Sharedrop or p2p sharing site like this one.

[esafak]

You criticize but don't offer suggestions. What do you use instead of Cloudflare?

[redcobra762]

It’s kind of an absurd notion to think the Internet would just allow Cloudflare to make any kind of unilateral decisions like what you suggest.

[NicoJuicy]

> Once Cloudflare starts using attestation to block anyone not on Chrome/iOS Safari it'll be too late to do anything about it.

That's just plain bs...

Eg

1) they have customers and their customers want protection, with minimal downsides.

2) Cloudflare is the only one with support for Tor. I'm 100% sure you didn't knew that.

What "examples" do you have to blame them for something they aren't doing? Based on what?

I'm getting tired of people blaming Cloudflare for providing a service that no one else can provide for free to small website owners => DDOS protection.

[dang]

Could you please stop breaking the site guidelines? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.

You're of course welcome to make your substantive points thoughtfully while staying within the rules.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

[NicoJuicy]

You're correct.

I reiterated over my last comments and they've been snarky lately.

Not an excuse, a lot is going on and overworked and without patience lately.

That shouldn't reflect in my comments and I'll pay more attention to it.

Have a good week.

[dang]

Appreciated!

[pid1wow]

What do you mean? On Tor I get a Cloudflare block just from clicking 2 links on the front page of HN:

http://forums.accessroot.com/index.php?showtopic=4361&st=0

>Please wait while your request is being verified...

I can't remember any day I didn't get a Cloudflare block. Even on bare IP sometimes. WAFs are security theater.

[NicoJuicy]

Site admins can enable onion routing: https://developers.cloudflare.com/network/onion-routing/

Which circumvents the bad reputation of certain exit nodes:

> Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their Cloudflare threat score.

[solumunus]

> Hacker news is so funny, they complain about the amount of power we've allowed Google, Amazon, and Microsoft to have, and then go right around and recommend putting everything behind Cloudflare.

It’s almost as if those saying contradictory things are actually different people despite being on the same website. But it can’t be that, surely? Truly a perplexing phenomenon that I hope someone can one day explain.

[418tpot]

Fair, although I know quite a few people that hold both of these opinions simultaneously because I've met them in person. It's only after I point out their hypocrisy do they even realize what a danger Cloudflare poses to the free and open internet.

I suspect it's because hating on Google is in vogue, and so is recommending Cloudflare.

[BLKNSLVR]

I'm going to try to provide / justify my potentially hypocritical viewpoint:

I use Cloudflare (free tier) in front of the very few and almost entirely unused websites that I run. I believe that the service they provide is useful for protecting the IP addresses of the servers on which the content is hosted, whilst also providing some amount of protection from malicious traffic.

I also agree that centralisation of services is a big problem for the future of the internet.

My position is that, whilst there seem to be increasing voices / examples of Cloudflare's (potential in) acting against the nebulous notion of "spirit of the internet", for me they certainly haven't reached the "evil" stage. I'm also of the understanding that it's Cloudflare customers that choose to block access from Tor or VPS IP address ranges and / or add Captcha's or other bothersome verification. True Cloudflare enable it and make it possible, but the administrators of the website that you're trying to visit have made the choice to make it more difficult for you to access their content; not Cloudflare themselves.

I would prefer there to be similar-scale alternatives to Cloudflare as a kind of a middle-ground decentralisation of centralisation. I'm sure there are alternatives, but I'm not yet motivated enough to even consider starting the research process.

If Cloudflare start selling visitor analytics to data brokers, however, very fast goodbye.

[jopsen]

Given how Cloudflare works I imagine that there are alternative services offering the same thing.

Probably not as cheap. AWS can put a WAF and CDN infront of your site too.

And migrating from one service to another isn't much more work than moving DNS records.

Just saying, it's not the same level of vendor lockin as using dynamodb or whatever.