[throwaway519]

Wasn't Cloudflare supposed to prevent DDOSing?

It seems only a privacy leak tool now.

1000 requests / min @ 10ms limit / request. That's 16 requests per second. Any reasonable CMS, wiki or blogging tool should be able to do one request in 62.5ms. Add on cacheing for non logged in users and nginx serving anything static, that's less than the power a $5 VPS provides.

At these rates, the case for Cloudflare is a lot less than it was.

[kentonv]

Obviously a $5 VPS would give you more raw compute than the Cloudflare Workers free tier.

However:

1. It would run in a single location in the world, whereas Workers (even on the free tier) will run in Cloudflare locations all around the world, close to the end user, reducing latency.

2. If you're going to compare against a $5 VPS, the $5 Workers paid tier is probably a better comparison? It can instantly scale to millions of requests per second.

(Disclosure: I'm the tech lead for Cloudflare Workers.)

[throwaway519]

10 million requests per month for $5 is about 4 requests per second, correct? Which is about 3 orders of magnitude less than nginx serving static html.

As a comparison, that's akin to a person walking 4 km/day vs. flying 4,000 km/day,

It's still not a great comparison as the $5 VPS is already paid for. But to take it as you suggest, I agree it's up to the website owner whether they prefer to have 4km/day workers who can sometimes clone themselves in different parts of the world but only for a limited time until they costmore, or a 4000/day flying suit.

Still a bit apples to oranges.

[elric]

A privacy leak tool, and an annoyance generator. Every time I have to click their silly "prove you're human"-thing I feel a little more dehumanized.

[imiric]

Are you sure you're not a robot?[1]

[1]: https://www.newyorker.com/video/watch/im-not-a-robot

[bryanrasmussen]

Me too!

https://medium.com/the-haven/i-am-worried-about-these-newest...

[tonyhart7]

"Wasn't Cloudflare supposed to prevent DDOSing?"

there a fine line between DDOS from bots and 30k real users accessing your site at the same time

cloudflare do not provide resource for the latter

[93po]

isnt the point of a DDOS being unable to differentiate the traffic and therefore not block it? ideally it would look like organic 30k

[genewitch]

Yes, I have had to block all of Asia before on forums, at verisign. It was more than 30k IPs.

[singularity2001]

don't they offer caching?

[mklepaczewski]

62.5ms for a non-cached request? In my experience that’s really fast response time for a blog even on a dedicated bare-metal server.

[ahofmann]

That is reasonably fast. We wrote entire games in PHP where we aimed for wall time under 100ms. That is a challenge, but often doable. Some routes managed to respond in under 50ms.

[hammyhavoc]

Go on—I'll bite! What did you write?

I spent a colossal amount of my childhood and teens playing browser-based games and have zero regrets!

[ahofmann]

You probably haven't heard of them. We were a German studio, and most of our games only reached a few tens of thousands of players. The biggest hit was Xhodon — it had a bit of a following among World of Warcraft fans. It was a fun time.

[josephg]

Really? Why?

Blog posts don’t change much. Even if your rendering code is horrendously slow (though, why?), you can just cache the resulting html and serve it up with each request. Or slap nginx in front of your web server locally and let that deal with the load. ‘Course you’ll need your http headers set correctly, but you needed that anyway for cloudflare.

Your server has to be pretty badly configured for a personal blog to run out of CPU handling requests.

[mklepaczewski]

Everything you wrote is true, but this is not how it works in practice. Usually, the person running the blog uses WordPress, and doesn't know about caching. They add a few plugins that significantly increase response time and make the response dynamic (for example, CSRF nonces). Add to that some "static" AJAX requests (which usually are POSTs and not cacheable), and it all adds up.

I wouldn't bet on an average dev being able to set up and configure nginx + Cloudflare correctly.

>Course you’ll need your http headers set correctly, but you needed that anyway for cloudflare

Not if you don't use CF to cache "dynamic" content.

[ffsm8]

mklepaczewski was probably talking about end-to-end. I.e. the number you see in the network tab for request duration - whereas the pricing will only care about the time that the application is actually doing something.

That basically means it starts after the connection was established by the proxy (cloudflare) and terminates before the response is delivered to the client.

Doing the whole round trip within 65ms is actually pretty challenging, even if you are requesting over the wire. It would mean you have maybe 10-20 Ms to query data from the database and process them to html or json. Any kind of delay while querying the database is going to ruin that.

If you had a 65ms in the application, you would probably get a round trip average of something above 90, likely closer to 150 then 90.

[josephg]

For a blog? Why is a blog fetching data from a database on every request?

If you cache the response yourself (or use nginx), the server should be responding to queries in <1ms.

[ffsm8]

Sure, but this particular case clearly wasn't using cache, that's why the free tier limit for an application was reached. Hence it's highly likely that each request hit a database.

The message would've been different if it was cached.

https://workers.cloudflare.com/

[kentonv]

Cloudflare Workers run in front of cache -- which is generally useful since it allows you to serve personalized pages while still pulling the content from cache, and since Workers can easily run in <1ms and run on a machine you were already going to pass through anyway (the CDN), it doesn't hurt performance. But it also means that the free tier limit of 100,000 requests per day includes requests that hit cache.

(I'm the tech lead for Workers.)

[ezfe]

This isn’t a performance hug of death, it’s a rate limit one.

[reassess_blind]

Yes, and it does that well. This user has exceeded the 100,000 free workers invocations per day, a different service.