Cloudflare – and the misty Firewalls from the Cloud!

RockmusicRaider - Internet Firewall

I am a sucker. Like many others, too. A sucker for freebies, things promised on the web that will empower you, and – supposedly – your blog that you manage. All those goodies that will take a load off your back, so that you can be more efficient and – for sure – more effective. And they all come completely free of charge.

Well, of course (not). We all know that nothing is ever free. But you still do want to protect your blog from the woes of the internet, because being a blogger is hard work.

And for that, you need some essential services and tools.

Firewalls that (should) protect your website from the many horrors of the mighty web are one of those services that sometimes offer free versions. So, in essence, no script kiddies that float on the mighty waves created by their elders will be allowed entry. Or the other Chinese, Russians and Americans that try to break into your realm to serve their own dark desires.

And let me break a lance for all those firewall tools out there on the web.

No tool that you use will offer 100% protection from hacking. Ever, and despite promises to the contrary. The majority of them do however work reasonably well. And – besides – your security strategy is not only installing a plugin on your site, there’s much more to it. But that would be the subject of another post.

And what’s on offer?

#1 – Things that live on your server.

Services like Wordfence are of that first category. This is direct defense, on your website, built to do battle Ju-Jitsu style. They take no prisoners, and will wrestle your opponents to the ground.

Now, the antagonists will whine endlessly that the tool will take up server resources and eat precious bandwidth. That the battle is fought on your site, and not on a faraway front. Weak on DDoS protection, and only as good as your hosting provider.

And so on and so forth.

In all of this may be a grain of truth, but if bandwidth is your worry, then you probably should not run a website. Just saying.

#2 – The offshore warriors.

And here we talk about tools like Sucuri, Cloudflare or again Zscaler. They join you from The Cloud. This thing you cannot fathom because you have no idea where their servers live. And for which you must believe what you are told, along the likes of Facebook, Amazon, and their ilk. The ones that we learned never to believe a word they utter, ever again.

Their credo – however – is indeed powerful.

Off-shore internet and cloud protection, DDoS attacks dealt with directly on their servers. All sinners swiftly undone with a powerful virtual artillery attack, like so many nukes.

The genuine data exchange delivers via VPN to your infrastructure. In other words, the bad guys will never reach your company servers. And that is a relief if you are a corporation with big pockets and your own servers. And these firewall providers have big reputations to lose if ever ill should befall one of their customers.

If we can believe all that jazz, that is. And some of them seem to be way more careless with their free (or even paid) versions. Or with their interpretations of what good customer care ought to be.

Here is how Cloudflare enriched our lives lately.

For reasons that must remain unnamed, we decided to install the free version of Cloudflare for our site. So far so good, all this sounds like a neat firewall that should add some more security to what we already employ. They make all the right noises, are seemingly clear with their offerings, and – indeed – do add some small services that come in handy.

So, happiness abounds, right? But, wut?

Lo and behold – one beautiful morning I woke up to this scenario, provided by cPanel. A service I do not knowingly use, but my providers of internet services do:

RockmusicRaider - Cloudflare 404 Not Found

The perfect what-the-fuck moment that will ruin your breakfast at the same time. All pages served in the same manner, with one added little cherry for this particular cake.

The main page said that – it did not exist at all. Yikes.

On top, the 404 page was not generated by our hosting company we use. But to our relief, we found that the site was not hacked, as far as we could see.

Which only left Cloudflare.

The issue – we found – was the SSL certificate. Cloudflare professes to take care of that automatically by something called a Universal SSL. Which, in their interpretation, again heavily depends on your own certificate at your origin server.

Cloudflare forces the use of IPv6 internet addresses by default, with a hidden AAAA record. This is done on purpose because they decided to play with the big boys or something.

Frankly, this is a damn stupid approach by a firewall provider, if you want to gain new customers, or avoid to piss off existing ones. Because new customers usually use the free version to try things out. So, annoying them should – obviously – not really be your goal. But – hey – go figure.

This unilateral action means that certificates on servers still running scripts on IPv4 without adaptation will not authenticate and renew. And, unless you are on an Enterprise plan with Cloudflare, you cannot change this in the user interface. Nor does the AAAA record show up on the DNS page.

Well, actually you can change the setting, but it is far from user-friendly:

  • Upon authentication and only then, change the DNS record to ‘DNS only’. This will bypass the proxy and let you authenticate your origin certificate.
    But have a care: This setting means that you lose all the benefits, so you need to change it back to the orange cloud, once authentication happened.
  • You can also do an API call, which is a bit more technical.

So, we have two root causes for the problem.

Issue 1:

The hosting of this site has not yet enabled IPv6. To this, you need to note that the standard was only really adopted by mid-2017. So, I reckon that they will do an update in due course to get the new standard running as well.

Issue 2:

Cloudflare tries to force something onto their customers that really should be of no concern to them. IP addresses are a highly technical mystery to many, and no company should hold its customer base hostage for something that is beyond their reach.

But the problem did not end there.

Once we found the root cause and fixed it, we thought that things would be back to normal.

Then this happened:

Cloudflare - Sorry Page

No, the IP address did not change, the site is still on the same server and did not move, neither. On top, the email address does not send anybody to the hosting provider. And how could it? It sends users to the webmaster, meaning back to myself.

This is a bullshit page, either borne out abject laziness or by a lackadaisical approach to business that I have seldom seen to date. Or – again – other more malicious reasons that don’t even bear contemplating.

The solution?

It turned out that the pages served from browser cache. So, we had to purge the cache for every browser.

All set then, right?

Not quite. I have no way of knowing how many of my users tried to access the site once it was down. Not only, did they get served unnecessarily by a 404 screen, but on top of this, the situation aggravated with this idiotic ‘Sorry Page’. And these users might not necessarily have the patience to go and check solutions to their problem.

They will most probably never return, and I cannot even blame them.

To conclude…

Any service running their business with a careless attitude runs a high risk to their own success. And Cloudflare just moves down that slippery slope.

To add insult to injury, holding customers hostage to try to get other services to do your bidding is – in politically correct terms – a questionable approach at best. And the reasoning that Apple enforces the IPv6 standard for some of their services, and – thus – you need to do the same, is – well – comparing apples with oranges. And totally misguided.

In reality, such stunts endanger the livelihoods of businesses that depend on the internet to get things done. Not to speak of the devastating effects that such shenanigans will potentially have on your SEO ratings.

From a supplier of a firewall, I expect protection from the dangers of the internet. Nothing more and nothing less, and performed by experts. Becoming one of those dangers is really not an option. And I don’t really care if they have opinions about miscellaneous standards, right or wrong. We all do.

Oh, in case you wondered, we are using Wordfence as our main firewall provider. And we will continue to do so.

Because we just learned that off-shore firewalls cannot be trusted


Raid a comment or twenty!